diff --git a/k3-kyverno-test/dummy-app/.helmignore b/k3-kyverno-test/dummy-app/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/k3-kyverno-test/dummy-app/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/k3-kyverno-test/dummy-app/Chart.yaml b/k3-kyverno-test/dummy-app/Chart.yaml new file mode 100644 index 0000000..bec7ac0 --- /dev/null +++ b/k3-kyverno-test/dummy-app/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: dummy-app +description: A dummy Helm chart for testing Kyverno policies on CPU resource requests and limits + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.21.0" diff --git a/k3-kyverno-test/dummy-app/templates/NOTES.txt b/k3-kyverno-test/dummy-app/templates/NOTES.txt new file mode 100644 index 0000000..52f187a --- /dev/null +++ b/k3-kyverno-test/dummy-app/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "dummy-app.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "dummy-app.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "dummy-app.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "dummy-app.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/k3-kyverno-test/dummy-app/templates/_helpers.tpl b/k3-kyverno-test/dummy-app/templates/_helpers.tpl new file mode 100644 index 0000000..b60022f --- /dev/null +++ b/k3-kyverno-test/dummy-app/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "dummy-app.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "dummy-app.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "dummy-app.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "dummy-app.labels" -}} +helm.sh/chart: {{ include "dummy-app.chart" . }} +{{ include "dummy-app.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "dummy-app.selectorLabels" -}} +app.kubernetes.io/name: {{ include "dummy-app.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "dummy-app.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "dummy-app.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/k3-kyverno-test/dummy-app/templates/deployment-high-resource.yaml b/k3-kyverno-test/dummy-app/templates/deployment-high-resource.yaml new file mode 100644 index 0000000..cdb26fb --- /dev/null +++ b/k3-kyverno-test/dummy-app/templates/deployment-high-resource.yaml @@ -0,0 +1,71 @@ +{{- if .Values.testScenarios.highResource }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "dummy-app.fullname" . }}-high-resource + labels: + {{- include "dummy-app.labels" . | nindent 4 }} + scenario: high-resource +spec: + replicas: 1 + selector: + matchLabels: + {{- include "dummy-app.selectorLabels" . | nindent 6 }} + scenario: high-resource + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "dummy-app.labels" . | nindent 8 }} + scenario: high-resource + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "dummy-app.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 80 + protocol: TCP + livenessProbe: + {{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: + {{- toYaml .Values.readinessProbe | nindent 12 }} + resources: + {{- toYaml .Values.testScenarios.highResource.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/k3-kyverno-test/dummy-app/templates/deployment-no-limits.yaml b/k3-kyverno-test/dummy-app/templates/deployment-no-limits.yaml new file mode 100644 index 0000000..40fa6ca --- /dev/null +++ b/k3-kyverno-test/dummy-app/templates/deployment-no-limits.yaml @@ -0,0 +1,71 @@ +{{- if .Values.testScenarios.noLimits }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "dummy-app.fullname" . }}-no-limits + labels: + {{- include "dummy-app.labels" . | nindent 4 }} + scenario: no-limits +spec: + replicas: 1 + selector: + matchLabels: + {{- include "dummy-app.selectorLabels" . | nindent 6 }} + scenario: no-limits + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "dummy-app.labels" . | nindent 8 }} + scenario: no-limits + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "dummy-app.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 80 + protocol: TCP + livenessProbe: + {{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: + {{- toYaml .Values.readinessProbe | nindent 12 }} + resources: + {{- toYaml .Values.testScenarios.noLimits.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/k3-kyverno-test/dummy-app/templates/deployment.yaml b/k3-kyverno-test/dummy-app/templates/deployment.yaml new file mode 100644 index 0000000..cd1b2d2 --- /dev/null +++ b/k3-kyverno-test/dummy-app/templates/deployment.yaml @@ -0,0 +1,78 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "dummy-app.fullname" . }} + labels: + {{- include "dummy-app.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "dummy-app.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "dummy-app.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "dummy-app.serviceAccountName" . }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + {{- with .Values.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/k3-kyverno-test/dummy-app/templates/hpa.yaml b/k3-kyverno-test/dummy-app/templates/hpa.yaml new file mode 100644 index 0000000..d7c2459 --- /dev/null +++ b/k3-kyverno-test/dummy-app/templates/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "dummy-app.fullname" . }} + labels: + {{- include "dummy-app.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "dummy-app.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/k3-kyverno-test/dummy-app/templates/ingress.yaml b/k3-kyverno-test/dummy-app/templates/ingress.yaml new file mode 100644 index 0000000..beae8d1 --- /dev/null +++ b/k3-kyverno-test/dummy-app/templates/ingress.yaml @@ -0,0 +1,43 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "dummy-app.fullname" . }} + labels: + {{- include "dummy-app.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .Values.ingress.className }} + ingressClassName: {{ . }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- with .pathType }} + pathType: {{ . }} + {{- end }} + backend: + service: + name: {{ include "dummy-app.fullname" $ }} + port: + number: {{ $.Values.service.port }} + {{- end }} + {{- end }} +{{- end }} diff --git a/k3-kyverno-test/dummy-app/templates/service.yaml b/k3-kyverno-test/dummy-app/templates/service.yaml new file mode 100644 index 0000000..bcb2c6f --- /dev/null +++ b/k3-kyverno-test/dummy-app/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "dummy-app.fullname" . }} + labels: + {{- include "dummy-app.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "dummy-app.selectorLabels" . | nindent 4 }} diff --git a/k3-kyverno-test/dummy-app/templates/serviceaccount.yaml b/k3-kyverno-test/dummy-app/templates/serviceaccount.yaml new file mode 100644 index 0000000..52da7d6 --- /dev/null +++ b/k3-kyverno-test/dummy-app/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "dummy-app.serviceAccountName" . }} + labels: + {{- include "dummy-app.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} +{{- end }} diff --git a/k3-kyverno-test/dummy-app/templates/tests/test-connection.yaml b/k3-kyverno-test/dummy-app/templates/tests/test-connection.yaml new file mode 100644 index 0000000..a8e2ca4 --- /dev/null +++ b/k3-kyverno-test/dummy-app/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "dummy-app.fullname" . }}-test-connection" + labels: + {{- include "dummy-app.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "dummy-app.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/k3-kyverno-test/dummy-app/values.yaml b/k3-kyverno-test/dummy-app/values.yaml new file mode 100644 index 0000000..119d086 --- /dev/null +++ b/k3-kyverno-test/dummy-app/values.yaml @@ -0,0 +1,151 @@ +# Default values for dummy-app. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ +replicaCount: 1 + +# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/ +image: + repository: nginx + # This sets the pull policy for images. + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "1.21" + +# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# This is to override the chart name. +nameOverride: "" +fullnameOverride: "" + +# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/ +serviceAccount: + # Specifies whether a service account should be created + create: true + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +# This is for setting Kubernetes Annotations to a Pod. +# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +podAnnotations: {} +# This is for setting Kubernetes Labels to a Pod. +# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +podLabels: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/ +service: + # This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + type: ClusterIP + # This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports + port: 80 + +# This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/ +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +# Resource configuration for Kyverno testing +# These values will be used to test CPU request/limit policies +resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + +# This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ +livenessProbe: + httpGet: + path: / + port: http +readinessProbe: + httpGet: + path: / + port: http + +# This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/ +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# Additional volumes on the output Deployment definition. +volumes: [] +# - name: foo +# secret: +# secretName: mysecret +# optional: false + +# Additional volumeMounts on the output Deployment definition. +volumeMounts: [] +# - name: foo +# mountPath: "/etc/foo" +# readOnly: true + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# Kyverno test scenarios +# You can override these values to test different scenarios +testScenarios: + # Scenario 1: Low resource requirements (should pass most policies) + lowResource: + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 25m + memory: 64Mi + + # Scenario 2: High resource requirements (might trigger policies) + highResource: + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 500m + memory: 512Mi + + # Scenario 3: No resource limits (should trigger policies requiring limits) + noLimits: + resources: + requests: + cpu: 100m + memory: 128Mi diff --git a/k3-kyverno-test/kyverno-policy/kyverno-policies.yaml b/k3-kyverno-test/kyverno-policy/kyverno-policies.yaml new file mode 100644 index 0000000..2cad5ec --- /dev/null +++ b/k3-kyverno-test/kyverno-policy/kyverno-policies.yaml @@ -0,0 +1,153 @@ +--- +# CPU 요청 필수 정책 +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-cpu-requests + annotations: + policies.kyverno.io/title: Require CPU Requests + policies.kyverno.io/category: Resource Management + policies.kyverno.io/description: >- + 모든 컨테이너에 CPU 요청이 설정되어야 합니다. +spec: + validationFailureAction: enforce + background: true + rules: + - name: check-cpu-requests + match: + any: + - resources: + kinds: + - Pod + validate: + message: "CPU 요청이 설정되어야 합니다" + pattern: + spec: + containers: + - name: "*" + resources: + requests: + cpu: "?*" + +--- +# CPU 제한 필수 정책 +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-cpu-limits + annotations: + policies.kyverno.io/title: Require CPU Limits + policies.kyverno.io/category: Resource Management + policies.kyverno.io/description: >- + 모든 컨테이너에 CPU 제한이 설정되어야 합니다. +spec: + validationFailureAction: enforce + background: true + rules: + - name: check-cpu-limits + match: + any: + - resources: + kinds: + - Pod + validate: + message: "CPU 제한이 설정되어야 합니다" + pattern: + spec: + containers: + - name: "*" + resources: + limits: + cpu: "?*" + +--- +# 최대 CPU 제한 정책 +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: limit-cpu-usage + annotations: + policies.kyverno.io/title: Limit CPU Usage + policies.kyverno.io/category: Resource Management + policies.kyverno.io/description: >- + CPU 제한이 500m을 초과할 수 없습니다. +spec: + validationFailureAction: enforce + background: true + rules: + - name: check-cpu-limit-range + match: + any: + - resources: + kinds: + - Pod + validate: + message: "CPU 제한은 500m을 초과할 수 없습니다" + deny: + conditions: + any: + - key: "{{ request.object.spec.containers[?contains(@.resources.limits.cpu, 'm')].resources.limits.cpu | [0] | to_number(@) }}" + operator: GreaterThan + value: 500 + +--- +# CPU 요청/제한 비율 정책 +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpu-request-limit-ratio + annotations: + policies.kyverno.io/title: CPU Request Limit Ratio + policies.kyverno.io/category: Resource Management + policies.kyverno.io/description: >- + CPU 요청은 CPU 제한의 50% 이상이어야 합니다. +spec: + validationFailureAction: enforce + background: true + rules: + - name: check-cpu-ratio + match: + any: + - resources: + kinds: + - Pod + validate: + message: "CPU 요청은 CPU 제한의 50% 이상이어야 합니다" + deny: + conditions: + any: + - key: "{{ request.object.spec.containers[0].resources.requests.cpu | to_number(@) }}" + operator: LessThan + value: "{{ request.object.spec.containers[0].resources.limits.cpu | to_number(@) | multiply(@, `0.5`) }}" + +--- +# 기본 리소스 추가 정책 (Mutate) +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-default-resources + annotations: + policies.kyverno.io/title: Add Default Resources + policies.kyverno.io/category: Resource Management + policies.kyverno.io/description: >- + 리소스가 설정되지 않은 컨테이너에 기본 리소스를 추가합니다. +spec: + rules: + - name: add-default-cpu-requests + match: + any: + - resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + spec: + containers: + - (name): "*" + resources: + requests: + +(cpu): "100m" + +(memory): "128Mi" + limits: + +(cpu): "200m" + +(memory): "256Mi" \ No newline at end of file diff --git a/k3-kyverno-test/kyverno-test-report-20250531-165306.md b/k3-kyverno-test/kyverno-test-report-20250531-165306.md new file mode 100644 index 0000000..28cb953 --- /dev/null +++ b/k3-kyverno-test/kyverno-test-report-20250531-165306.md @@ -0,0 +1,552 @@ +# Kyverno 테스트 리포트 + +**테스트 시작 시간**: 2025-05-31 16:53:06 +**테스트 환경**: k3s 클러스터 +**목적**: CPU 리소스 요청/제한에 대한 Kyverno 정책 효과 검증 + +## 테스트 개요 + +1. 더미 앱 15개 배포하여 노드 리소스 50-60% 사용 +2. Kyverno 정책 배포 (CPU 제한을 300m으로 제한) +3. 정책 효과 확인 +4. 리소스 사용량 변화 측정 + +--- + +## 디렉토리 구조 + +``` +/home/dongdorrong/github/private/kubernetes/k3-kyverno-test/ +├── dummy-app/ # Helm 차트 +│ ├── Chart.yaml +│ ├── values.yaml +│ └── templates/ +├── kyverno/ # Kyverno Helm 차트 +├── kyverno-policy/ # 정책 파일들 +├── simple-test.sh # 기본 테스트 스크립트 +└── test-with-report.sh # 리포트 생성 스크립트 +``` + +--- + +16:53:06 [INFO] 전체 테스트 시작 +16:53:06 [INFO] 1단계: 더미 앱들을 배포하여 노드 리소스 50-60% 사용 + +## 1단계: 더미 앱 배포 + +**목표**: 각 앱당 800m CPU 요청, 1000m CPU 제한으로 15개 배포 +**예상 총 CPU 요청**: 12000m (50%) +**예상 총 CPU 제한**: 15000m (62.5%) + + +## 배포 전 노드 상태 + +**시간**: 2025-05-31 16:53:06 + +### 노드 기본 정보 +``` +NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME +dongdorrong Ready control-plane,master 62m v1.32.5+k3s1 172.25.237.158 Ubuntu 24.04.2 LTS 5.15.153.1-microsoft-standard-WSL2 containerd://2.0.5-k3s1.32 +``` + +### 리소스 할당 현황 +``` +Allocated resources: + (Total limits may be over 100 percent, i.e., overcommitted.) + Resource Requests Limits + -------- -------- ------ + cpu 600m (2%) 100m (0%) + memory 460Mi (2%) 938Mi (5%) + ephemeral-storage 0 (0%) 0 (0%) + hugepages-1Gi 0 (0%) 0 (0%) + hugepages-2Mi 0 (0%) 0 (0%) +Events: +``` + +### 현재 실행 중인 파드 +``` +NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES +kube-system coredns-697968c856-jqj2s 1/1 Running 0 62m 10.42.0.4 dongdorrong +kube-system helm-install-traefik-97g6p 0/1 Completed 1 62m 10.42.0.5 dongdorrong +kube-system helm-install-traefik-crd-mjljj 0/1 Completed 0 62m 10.42.0.6 dongdorrong +kube-system local-path-provisioner-774c6665dc-882j7 1/1 Running 0 62m 10.42.0.3 dongdorrong +kube-system metrics-server-6f4c6675d5-9tgjj 1/1 Running 0 62m 10.42.0.2 dongdorrong +kube-system svclb-traefik-c082f6f0-qrfdz 2/2 Running 0 62m 10.42.0.7 dongdorrong +kube-system traefik-c98fdf6fb-g9nvs 1/1 Running 0 62m 10.42.0.8 dongdorrong +kyverno kyverno-admission-controller-6d55595bd5-d44p4 1/1 Running 0 50m 10.42.0.9 dongdorrong +kyverno kyverno-background-controller-5fccfb6b67-x8726 1/1 Running 0 50m 10.42.0.12 dongdorrong +kyverno kyverno-cleanup-controller-6867df796b-zj9tz 1/1 Running 0 50m 10.42.0.11 dongdorrong +kyverno kyverno-reports-controller-565dc659dd-mkhmh 1/1 Running 0 50m 10.42.0.10 dongdorrong +``` + +### 실시간 리소스 사용량 +``` +NAME CPU(cores) CPU(%) MEMORY(bytes) MEMORY(%) +dongdorrong 150m 0% 2554Mi 16% +``` + +--- + +16:53:06 [INFO] 더미 앱 1 배포 중... +✅ dummy-1 배포 성공 +16:53:08 [INFO] 더미 앱 2 배포 중... +✅ dummy-2 배포 성공 +16:53:10 [INFO] 더미 앱 3 배포 중... +✅ dummy-3 배포 성공 +16:53:23 [INFO] 더미 앱 4 배포 중... +✅ dummy-4 배포 성공 +16:53:25 [INFO] 더미 앱 5 배포 중... +✅ dummy-5 배포 성공 +16:53:27 [INFO] 현재까지 5개 배포 시도 완료 (성공: 5, 실패: 0) +현재 실행 중인 더미 파드 수: 15 +16:53:27 [INFO] 더미 앱 6 배포 중... +✅ dummy-6 배포 성공 +16:53:39 [INFO] 더미 앱 7 배포 중... +✅ dummy-7 배포 성공 +16:53:41 [INFO] 더미 앱 8 배포 중... +✅ dummy-8 배포 성공 +16:53:44 [INFO] 더미 앱 9 배포 중... +✅ dummy-9 배포 성공 +16:53:56 [INFO] 더미 앱 10 배포 중... +✅ dummy-10 배포 성공 +16:53:58 [INFO] 현재까지 10개 배포 시도 완료 (성공: 10, 실패: 0) +현재 실행 중인 더미 파드 수: 30 +16:53:58 [INFO] 더미 앱 11 배포 중... +✅ dummy-11 배포 성공 +16:54:00 [INFO] 더미 앱 12 배포 중... +✅ dummy-12 배포 성공 +16:54:13 [INFO] 더미 앱 13 배포 중... +✅ dummy-13 배포 성공 +16:54:15 [INFO] 더미 앱 14 배포 중... +✅ dummy-14 배포 성공 +16:54:27 [INFO] 더미 앱 15 배포 중... +✅ dummy-15 배포 성공 +16:54:30 [INFO] 현재까지 15개 배포 시도 완료 (성공: 15, 실패: 0) +현재 실행 중인 더미 파드 수: 45 +16:54:30 [INFO] 모든 더미 앱 배포 완료 (성공: 15, 실패: 0) + +**배포 결과**: 성공 15개, 실패 0개 + + +## 배포 후 노드 상태 + +**시간**: 2025-05-31 16:54:30 + +### 노드 기본 정보 +``` +NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME +dongdorrong Ready control-plane,master 64m v1.32.5+k3s1 172.25.237.158 Ubuntu 24.04.2 LTS 5.15.153.1-microsoft-standard-WSL2 containerd://2.0.5-k3s1.32 +``` + +### 리소스 할당 현황 +``` +Allocated resources: + (Total limits may be over 100 percent, i.e., overcommitted.) + Resource Requests Limits + -------- -------- ------ + cpu 21600m (90%) 30100m (125%) + memory 13900Mi (87%) 23978Mi (150%) + ephemeral-storage 0 (0%) 0 (0%) + hugepages-1Gi 0 (0%) 0 (0%) + hugepages-2Mi 0 (0%) 0 (0%) +Events: +``` + +### 현재 실행 중인 파드 +``` +NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES +default dummy-1-dummy-app-67d6596fbc-knp7f 1/1 Running 0 84s 10.42.0.69 dongdorrong +default dummy-1-dummy-app-high-resource-76769bd998-ftqgl 1/1 Running 0 84s 10.42.0.67 dongdorrong +default dummy-1-dummy-app-no-limits-5497cfb4f7-xr8gb 1/1 Running 0 84s 10.42.0.68 dongdorrong +default dummy-10-dummy-app-5b9d6b9d47-pztgp 1/1 Running 0 34s 10.42.0.95 dongdorrong +default dummy-10-dummy-app-high-resource-68d77bb57d-6bhgm 1/1 Running 0 34s 10.42.0.94 dongdorrong +default dummy-10-dummy-app-no-limits-5dc8c9448f-stv95 1/1 Running 0 34s 10.42.0.96 dongdorrong +default dummy-11-dummy-app-bb588988-zrx72 1/1 Running 0 32s 10.42.0.97 dongdorrong +default dummy-11-dummy-app-high-resource-6dc87bdb5f-fsvtw 1/1 Running 0 32s 10.42.0.98 dongdorrong +default dummy-11-dummy-app-no-limits-7d7b4b8b7b-g4x7x 1/1 Running 0 32s 10.42.0.99 dongdorrong +default dummy-12-dummy-app-55fbfb5-mw6p8 1/1 Running 0 29s 10.42.0.102 dongdorrong +default dummy-12-dummy-app-high-resource-b59d6d9cb-9jbrn 1/1 Running 0 29s 10.42.0.100 dongdorrong +default dummy-12-dummy-app-no-limits-5f9bbff575-fv6wt 1/1 Running 0 29s 10.42.0.101 dongdorrong +default dummy-13-dummy-app-687fdbfc86-hnqcv 1/1 Running 0 17s 10.42.0.103 dongdorrong +default dummy-13-dummy-app-high-resource-7ccf69964f-7sq7g 1/1 Running 0 17s 10.42.0.105 dongdorrong +default dummy-13-dummy-app-no-limits-b8849b8c4-22cc4 1/1 Running 0 17s 10.42.0.104 dongdorrong +default dummy-14-dummy-app-5f8557f555-b58vp 1/1 Running 0 15s 10.42.0.108 dongdorrong +default dummy-14-dummy-app-high-resource-5f94b776b6-7dxjr 1/1 Running 0 15s 10.42.0.106 dongdorrong +default dummy-14-dummy-app-no-limits-7cc7f549c7-6w2zb 1/1 Running 0 15s 10.42.0.107 dongdorrong +default dummy-15-dummy-app-fc75f544-kbfk8 1/1 Running 0 2s 10.42.0.109 dongdorrong +default dummy-15-dummy-app-high-resource-5df6d8f9bc-7ktkw 1/1 Running 0 2s 10.42.0.110 dongdorrong +default dummy-15-dummy-app-no-limits-55884ff8d4-qjft5 1/1 Running 0 2s 10.42.0.111 dongdorrong +default dummy-2-dummy-app-75598fdd76-dnplj 1/1 Running 0 82s 10.42.0.71 dongdorrong +default dummy-2-dummy-app-high-resource-cd4ccd59f-hcg2g 1/1 Running 0 82s 10.42.0.70 dongdorrong +default dummy-2-dummy-app-no-limits-d9c699b9b-gzvr9 1/1 Running 0 82s 10.42.0.72 dongdorrong +default dummy-3-dummy-app-7d454fc9df-ncmnh 1/1 Running 0 79s 10.42.0.75 dongdorrong +default dummy-3-dummy-app-high-resource-79f8474f9b-wltpv 1/1 Running 0 79s 10.42.0.73 dongdorrong +default dummy-3-dummy-app-no-limits-7d88889b8c-kt9nd 1/1 Running 0 79s 10.42.0.74 dongdorrong +default dummy-4-dummy-app-76bd767bdb-k5bvh 1/1 Running 0 67s 10.42.0.77 dongdorrong +default dummy-4-dummy-app-high-resource-75f7f978b9-nrhv4 1/1 Running 0 67s 10.42.0.76 dongdorrong +default dummy-4-dummy-app-no-limits-745dcfd6f4-vnsgm 1/1 Running 0 67s 10.42.0.78 dongdorrong +default dummy-5-dummy-app-7c8f496b87-66lf8 1/1 Running 0 65s 10.42.0.81 dongdorrong +default dummy-5-dummy-app-high-resource-6b56c9d4b-nrzjq 1/1 Running 0 65s 10.42.0.80 dongdorrong +default dummy-5-dummy-app-no-limits-6585655dd5-68bhm 1/1 Running 0 65s 10.42.0.79 dongdorrong +default dummy-6-dummy-app-5784d4cf8d-t4b6l 1/1 Running 0 63s 10.42.0.82 dongdorrong +default dummy-6-dummy-app-high-resource-5fbcfb9d87-hlsq6 1/1 Running 0 63s 10.42.0.83 dongdorrong +default dummy-6-dummy-app-no-limits-b4668c7d4-p599c 1/1 Running 0 63s 10.42.0.84 dongdorrong +default dummy-7-dummy-app-859545ccb5-9n2k4 1/1 Running 0 51s 10.42.0.87 dongdorrong +default dummy-7-dummy-app-high-resource-b564dcc56-kmcjb 1/1 Running 0 51s 10.42.0.85 dongdorrong +default dummy-7-dummy-app-no-limits-8fccc6b47-s4n8w 1/1 Running 0 51s 10.42.0.86 dongdorrong +default dummy-8-dummy-app-68d46566f4-m5smz 1/1 Running 0 48s 10.42.0.88 dongdorrong +default dummy-8-dummy-app-high-resource-85c77b5bf7-hhrq7 1/1 Running 0 48s 10.42.0.90 dongdorrong +default dummy-8-dummy-app-no-limits-8747c8f86-mrskd 1/1 Running 0 48s 10.42.0.89 dongdorrong +default dummy-9-dummy-app-5bc88c8dc-dnl58 1/1 Running 0 46s 10.42.0.92 dongdorrong +default dummy-9-dummy-app-high-resource-bb5c9d85d-58852 1/1 Running 0 46s 10.42.0.91 dongdorrong +default dummy-9-dummy-app-no-limits-6fd77c8bf7-pz7k6 1/1 Running 0 46s 10.42.0.93 dongdorrong +kube-system coredns-697968c856-jqj2s 1/1 Running 0 64m 10.42.0.4 dongdorrong +kube-system helm-install-traefik-97g6p 0/1 Completed 1 64m 10.42.0.5 dongdorrong +kube-system helm-install-traefik-crd-mjljj 0/1 Completed 0 64m 10.42.0.6 dongdorrong +kube-system local-path-provisioner-774c6665dc-882j7 1/1 Running 0 64m 10.42.0.3 dongdorrong +kube-system metrics-server-6f4c6675d5-9tgjj 1/1 Running 0 64m 10.42.0.2 dongdorrong +kube-system svclb-traefik-c082f6f0-qrfdz 2/2 Running 0 63m 10.42.0.7 dongdorrong +kube-system traefik-c98fdf6fb-g9nvs 1/1 Running 0 63m 10.42.0.8 dongdorrong +kyverno kyverno-admission-controller-6d55595bd5-d44p4 1/1 Running 0 51m 10.42.0.9 dongdorrong +kyverno kyverno-background-controller-5fccfb6b67-x8726 1/1 Running 0 51m 10.42.0.12 dongdorrong +kyverno kyverno-cleanup-controller-6867df796b-zj9tz 1/1 Running 0 51m 10.42.0.11 dongdorrong +kyverno kyverno-reports-controller-565dc659dd-mkhmh 1/1 Running 0 51m 10.42.0.10 dongdorrong +``` + +### 실시간 리소스 사용량 +``` +NAME CPU(cores) CPU(%) MEMORY(bytes) MEMORY(%) +dongdorrong 661m 2% 3553Mi 22% +``` + +--- + +16:54:30 [INFO] 현재 노드 리소스 사용량 확인 +16:54:31 [INFO] 2단계: Kyverno 정책 배포 + +## 2단계: Kyverno 정책 배포 + +### 적용된 정책 +```yaml +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: limit-cpu-usage + annotations: + policies.kyverno.io/title: Limit CPU Usage + policies.kyverno.io/category: Resource Management + policies.kyverno.io/description: CPU 제한을 300m 이하로 제한 +spec: + validationFailureAction: enforce + background: true + rules: + - name: check-cpu-limit + match: + any: + - resources: + kinds: + - Pod + validate: + message: "CPU 제한은 300m을 초과할 수 없습니다" + pattern: + spec: + containers: + - name: "*" + resources: + limits: + cpu: "<=300m" +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-cpu-limits + annotations: + policies.kyverno.io/title: Mutate CPU Limits + policies.kyverno.io/category: Resource Management + policies.kyverno.io/description: CPU 제한이 300m을 초과하면 300m으로 변경 +spec: + rules: + - name: reduce-cpu-limits + match: + any: + - resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + spec: + containers: + - (name): "*" + resources: + limits: + cpu: "300m" + requests: + cpu: "150m" +``` + +16:54:31 [INFO] Kyverno 정책 적용 완료 +✅ Kyverno 정책 적용 성공 + +### 정책 상태 확인 +``` +NAME ADMISSION BACKGROUND READY AGE MESSAGE +limit-cpu-usage true true True 5s Ready +mutate-cpu-limits true true True 5s Ready +``` + +16:54:36 [INFO] 3단계: 새로운 앱 배포하여 정책 효과 확인 + +## 3단계: 정책 효과 테스트 + +### 높은 CPU 제한 앱 배포 테스트 (1000m) +16:54:36 [INFO] 높은 CPU 제한으로 앱 배포 시도 (1000m - 정책 위반 예상) +16:54:38 [WARNING] ⚠️ 높은 CPU 제한 앱이 배포되었습니다 (정책이 적용되지 않았거나 mutate됨) +⚠️ 높은 CPU 제한 앱 배포 성공 (정책이 mutate했을 가능성) + +**실제 적용된 리소스 설정**: +``` + Limits: + cpu: 300m + memory: 256Mi + Requests: + cpu: 150m + memory: 128Mi + Liveness: http-get http://:http/ delay=0s timeout=1s period=10s #success=1 #failure=3 + Readiness: http-get http://:http/ delay=0s timeout=1s period=10s #success=1 #failure=3 + Environment: + Mounts: + /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-5xbnc (ro) +-- + Limits: + cpu: 300m + memory: 1Gi + Requests: + cpu: 150m + memory: 512Mi + Liveness: http-get http://:http/ delay=0s timeout=1s period=10s #success=1 #failure=3 + Readiness: http-get http://:http/ delay=0s timeout=1s period=10s #success=1 #failure=3 + Environment: + Mounts: + /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-2pc9g (ro) +-- + Limits: + cpu: 300m + Requests: + cpu: 150m + memory: 128Mi + Liveness: http-get http://:http/ delay=0s timeout=1s period=10s #success=1 #failure=3 + Readiness: http-get http://:http/ delay=0s timeout=1s period=10s #success=1 #failure=3 + Environment: + Mounts: + /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-x4nxl (ro) +Conditions: +``` + +### 낮은 CPU 제한 앱 배포 테스트 (200m) +16:54:39 [INFO] 낮은 CPU 제한으로 앱 배포 시도 (200m - 정책 통과 예상) +16:54:51 [INFO] ✅ 낮은 CPU 제한 앱이 성공적으로 배포되었습니다 +✅ 낮은 CPU 제한 앱 배포 성공 + +**실제 적용된 리소스 설정**: +``` + Limits: + cpu: 300m + memory: 256Mi + Requests: + cpu: 150m + memory: 128Mi + Liveness: http-get http://:http/ delay=0s timeout=1s period=10s #success=1 #failure=3 + Readiness: http-get http://:http/ delay=0s timeout=1s period=10s #success=1 #failure=3 + Environment: + Mounts: + /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-rwzzw (ro) +-- + Limits: + cpu: 300m + memory: 1Gi + Requests: + cpu: 150m + memory: 512Mi + Liveness: http-get http://:http/ delay=0s timeout=1s period=10s #success=1 #failure=3 + Readiness: http-get http://:http/ delay=0s timeout=1s period=10s #success=1 #failure=3 + Environment: + Mounts: + /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-r4kw5 (ro) +-- + Limits: + cpu: 300m + Requests: + cpu: 150m + memory: 128Mi + Liveness: http-get http://:http/ delay=0s timeout=1s period=10s #success=1 #failure=3 + Readiness: http-get http://:http/ delay=0s timeout=1s period=10s #success=1 #failure=3 + Environment: + Mounts: + /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-s7vxr (ro) +Conditions: +``` + +16:54:51 [INFO] 4단계: 리소스 사용량 변화 확인 + +## 4단계: 리소스 사용량 변화 확인 + + +## 정책 적용 후 노드 상태 + +**시간**: 2025-05-31 16:54:51 + +### 노드 기본 정보 +``` +NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME +dongdorrong Ready control-plane,master 64m v1.32.5+k3s1 172.25.237.158 Ubuntu 24.04.2 LTS 5.15.153.1-microsoft-standard-WSL2 containerd://2.0.5-k3s1.32 +``` + +### 리소스 할당 현황 +``` +Allocated resources: + (Total limits may be over 100 percent, i.e., overcommitted.) + Resource Requests Limits + -------- -------- ------ + cpu 22500m (93%) 31900m (132%) + memory 15436Mi (96%) 26538Mi (166%) + ephemeral-storage 0 (0%) 0 (0%) + hugepages-1Gi 0 (0%) 0 (0%) + hugepages-2Mi 0 (0%) 0 (0%) +Events: +``` + +### 현재 실행 중인 파드 +``` +NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES +default dummy-1-dummy-app-67d6596fbc-knp7f 1/1 Running 0 105s 10.42.0.69 dongdorrong +default dummy-1-dummy-app-high-resource-76769bd998-ftqgl 1/1 Running 0 105s 10.42.0.67 dongdorrong +default dummy-1-dummy-app-no-limits-5497cfb4f7-xr8gb 1/1 Running 0 105s 10.42.0.68 dongdorrong +default dummy-10-dummy-app-5b9d6b9d47-pztgp 1/1 Running 0 55s 10.42.0.95 dongdorrong +default dummy-10-dummy-app-high-resource-68d77bb57d-6bhgm 1/1 Running 0 55s 10.42.0.94 dongdorrong +default dummy-10-dummy-app-no-limits-5dc8c9448f-stv95 1/1 Running 0 55s 10.42.0.96 dongdorrong +default dummy-11-dummy-app-bb588988-zrx72 1/1 Running 0 53s 10.42.0.97 dongdorrong +default dummy-11-dummy-app-high-resource-6dc87bdb5f-fsvtw 1/1 Running 0 53s 10.42.0.98 dongdorrong +default dummy-11-dummy-app-no-limits-7d7b4b8b7b-g4x7x 1/1 Running 0 53s 10.42.0.99 dongdorrong +default dummy-12-dummy-app-55fbfb5-mw6p8 1/1 Running 0 50s 10.42.0.102 dongdorrong +default dummy-12-dummy-app-high-resource-b59d6d9cb-9jbrn 1/1 Running 0 50s 10.42.0.100 dongdorrong +default dummy-12-dummy-app-no-limits-5f9bbff575-fv6wt 1/1 Running 0 50s 10.42.0.101 dongdorrong +default dummy-13-dummy-app-687fdbfc86-hnqcv 1/1 Running 0 38s 10.42.0.103 dongdorrong +default dummy-13-dummy-app-high-resource-7ccf69964f-7sq7g 1/1 Running 0 38s 10.42.0.105 dongdorrong +default dummy-13-dummy-app-no-limits-b8849b8c4-22cc4 1/1 Running 0 38s 10.42.0.104 dongdorrong +default dummy-14-dummy-app-5f8557f555-b58vp 1/1 Running 0 36s 10.42.0.108 dongdorrong +default dummy-14-dummy-app-high-resource-5f94b776b6-7dxjr 1/1 Running 0 36s 10.42.0.106 dongdorrong +default dummy-14-dummy-app-no-limits-7cc7f549c7-6w2zb 1/1 Running 0 36s 10.42.0.107 dongdorrong +default dummy-15-dummy-app-fc75f544-kbfk8 1/1 Running 0 23s 10.42.0.109 dongdorrong +default dummy-15-dummy-app-high-resource-5df6d8f9bc-7ktkw 1/1 Running 0 23s 10.42.0.110 dongdorrong +default dummy-15-dummy-app-no-limits-55884ff8d4-qjft5 1/1 Running 0 23s 10.42.0.111 dongdorrong +default dummy-2-dummy-app-75598fdd76-dnplj 1/1 Running 0 103s 10.42.0.71 dongdorrong +default dummy-2-dummy-app-high-resource-cd4ccd59f-hcg2g 1/1 Running 0 103s 10.42.0.70 dongdorrong +default dummy-2-dummy-app-no-limits-d9c699b9b-gzvr9 1/1 Running 0 103s 10.42.0.72 dongdorrong +default dummy-3-dummy-app-7d454fc9df-ncmnh 1/1 Running 0 100s 10.42.0.75 dongdorrong +default dummy-3-dummy-app-high-resource-79f8474f9b-wltpv 1/1 Running 0 100s 10.42.0.73 dongdorrong +default dummy-3-dummy-app-no-limits-7d88889b8c-kt9nd 1/1 Running 0 100s 10.42.0.74 dongdorrong +default dummy-4-dummy-app-76bd767bdb-k5bvh 1/1 Running 0 88s 10.42.0.77 dongdorrong +default dummy-4-dummy-app-high-resource-75f7f978b9-nrhv4 1/1 Running 0 88s 10.42.0.76 dongdorrong +default dummy-4-dummy-app-no-limits-745dcfd6f4-vnsgm 1/1 Running 0 88s 10.42.0.78 dongdorrong +default dummy-5-dummy-app-7c8f496b87-66lf8 1/1 Running 0 86s 10.42.0.81 dongdorrong +default dummy-5-dummy-app-high-resource-6b56c9d4b-nrzjq 1/1 Running 0 86s 10.42.0.80 dongdorrong +default dummy-5-dummy-app-no-limits-6585655dd5-68bhm 1/1 Running 0 86s 10.42.0.79 dongdorrong +default dummy-6-dummy-app-5784d4cf8d-t4b6l 1/1 Running 0 84s 10.42.0.82 dongdorrong +default dummy-6-dummy-app-high-resource-5fbcfb9d87-hlsq6 1/1 Running 0 84s 10.42.0.83 dongdorrong +default dummy-6-dummy-app-no-limits-b4668c7d4-p599c 1/1 Running 0 84s 10.42.0.84 dongdorrong +default dummy-7-dummy-app-859545ccb5-9n2k4 1/1 Running 0 72s 10.42.0.87 dongdorrong +default dummy-7-dummy-app-high-resource-b564dcc56-kmcjb 1/1 Running 0 72s 10.42.0.85 dongdorrong +default dummy-7-dummy-app-no-limits-8fccc6b47-s4n8w 1/1 Running 0 72s 10.42.0.86 dongdorrong +default dummy-8-dummy-app-68d46566f4-m5smz 1/1 Running 0 69s 10.42.0.88 dongdorrong +default dummy-8-dummy-app-high-resource-85c77b5bf7-hhrq7 1/1 Running 0 69s 10.42.0.90 dongdorrong +default dummy-8-dummy-app-no-limits-8747c8f86-mrskd 1/1 Running 0 69s 10.42.0.89 dongdorrong +default dummy-9-dummy-app-5bc88c8dc-dnl58 1/1 Running 0 67s 10.42.0.92 dongdorrong +default dummy-9-dummy-app-high-resource-bb5c9d85d-58852 1/1 Running 0 67s 10.42.0.91 dongdorrong +default dummy-9-dummy-app-no-limits-6fd77c8bf7-pz7k6 1/1 Running 0 67s 10.42.0.93 dongdorrong +default test-high-dummy-app-67fc48c4d5-8hzhz 1/1 Running 0 15s 10.42.0.114 dongdorrong +default test-high-dummy-app-high-resource-5d5d5d89f4-bxlkh 1/1 Running 0 15s 10.42.0.112 dongdorrong +default test-high-dummy-app-no-limits-684b5fd5d7-qmvlt 1/1 Running 0 15s 10.42.0.113 dongdorrong +default test-low-dummy-app-56d6785ff9-gx4vq 1/1 Running 0 12s 10.42.0.115 dongdorrong +default test-low-dummy-app-high-resource-68578fbfb-lrr5m 1/1 Running 0 12s 10.42.0.117 dongdorrong +default test-low-dummy-app-no-limits-585ff56bfc-j7tnn 1/1 Running 0 12s 10.42.0.116 dongdorrong +kube-system coredns-697968c856-jqj2s 1/1 Running 0 64m 10.42.0.4 dongdorrong +kube-system helm-install-traefik-97g6p 0/1 Completed 1 64m 10.42.0.5 dongdorrong +kube-system helm-install-traefik-crd-mjljj 0/1 Completed 0 64m 10.42.0.6 dongdorrong +kube-system local-path-provisioner-774c6665dc-882j7 1/1 Running 0 64m 10.42.0.3 dongdorrong +kube-system metrics-server-6f4c6675d5-9tgjj 1/1 Running 0 64m 10.42.0.2 dongdorrong +kube-system svclb-traefik-c082f6f0-qrfdz 2/2 Running 0 64m 10.42.0.7 dongdorrong +kube-system traefik-c98fdf6fb-g9nvs 1/1 Running 0 64m 10.42.0.8 dongdorrong +kyverno kyverno-admission-controller-6d55595bd5-d44p4 1/1 Running 0 51m 10.42.0.9 dongdorrong +kyverno kyverno-background-controller-5fccfb6b67-x8726 1/1 Running 0 51m 10.42.0.12 dongdorrong +kyverno kyverno-cleanup-controller-6867df796b-zj9tz 1/1 Running 0 51m 10.42.0.11 dongdorrong +kyverno kyverno-reports-controller-565dc659dd-mkhmh 1/1 Running 0 51m 10.42.0.10 dongdorrong +``` + +### 실시간 리소스 사용량 +``` +NAME CPU(cores) CPU(%) MEMORY(bytes) MEMORY(%) +dongdorrong 1229m 5% 3707Mi 23% +``` + +--- + +16:54:51 [INFO] 현재 노드 리소스 사용량: +16:54:51 [INFO] 현재 노드 리소스 사용량 확인 +16:54:52 [INFO] 배포된 파드들의 리소스 설정: +### 배포된 파드들의 리소스 설정 +``` +dummy-1-dummy-app-67d6596fbc-knp7f 800m 1 +dummy-1-dummy-app-high-resource-76769bd998-ftqgl 500m 1 +dummy-1-dummy-app-no-limits-5497cfb4f7-xr8gb 100m +dummy-10-dummy-app-5b9d6b9d47-pztgp 800m 1 +dummy-10-dummy-app-high-resource-68d77bb57d-6bhgm 500m 1 +dummy-10-dummy-app-no-limits-5dc8c9448f-stv95 100m +dummy-11-dummy-app-bb588988-zrx72 800m 1 +dummy-11-dummy-app-high-resource-6dc87bdb5f-fsvtw 500m 1 +dummy-11-dummy-app-no-limits-7d7b4b8b7b-g4x7x 100m +dummy-12-dummy-app-55fbfb5-mw6p8 800m 1 +dummy-12-dummy-app-high-resource-b59d6d9cb-9jbrn 500m 1 +dummy-12-dummy-app-no-limits-5f9bbff575-fv6wt 100m +dummy-13-dummy-app-687fdbfc86-hnqcv 800m 1 +dummy-13-dummy-app-high-resource-7ccf69964f-7sq7g 500m 1 +dummy-13-dummy-app-no-limits-b8849b8c4-22cc4 100m +dummy-14-dummy-app-5f8557f555-b58vp 800m 1 +dummy-14-dummy-app-high-resource-5f94b776b6-7dxjr 500m 1 +dummy-14-dummy-app-no-limits-7cc7f549c7-6w2zb 100m +dummy-15-dummy-app-fc75f544-kbfk8 800m 1 +dummy-15-dummy-app-high-resource-5df6d8f9bc-7ktkw 500m 1 +dummy-15-dummy-app-no-limits-55884ff8d4-qjft5 100m +dummy-2-dummy-app-75598fdd76-dnplj 800m 1 +dummy-2-dummy-app-high-resource-cd4ccd59f-hcg2g 500m 1 +dummy-2-dummy-app-no-limits-d9c699b9b-gzvr9 100m +dummy-3-dummy-app-7d454fc9df-ncmnh 800m 1 +dummy-3-dummy-app-high-resource-79f8474f9b-wltpv 500m 1 +dummy-3-dummy-app-no-limits-7d88889b8c-kt9nd 100m +dummy-4-dummy-app-76bd767bdb-k5bvh 800m 1 +dummy-4-dummy-app-high-resource-75f7f978b9-nrhv4 500m 1 +dummy-4-dummy-app-no-limits-745dcfd6f4-vnsgm 100m +dummy-5-dummy-app-7c8f496b87-66lf8 800m 1 +dummy-5-dummy-app-high-resource-6b56c9d4b-nrzjq 500m 1 +dummy-5-dummy-app-no-limits-6585655dd5-68bhm 100m +dummy-6-dummy-app-5784d4cf8d-t4b6l 800m 1 +dummy-6-dummy-app-high-resource-5fbcfb9d87-hlsq6 500m 1 +dummy-6-dummy-app-no-limits-b4668c7d4-p599c 100m +dummy-7-dummy-app-859545ccb5-9n2k4 800m 1 +dummy-7-dummy-app-high-resource-b564dcc56-kmcjb 500m 1 +dummy-7-dummy-app-no-limits-8fccc6b47-s4n8w 100m +dummy-8-dummy-app-68d46566f4-m5smz 800m 1 +dummy-8-dummy-app-high-resource-85c77b5bf7-hhrq7 500m 1 +dummy-8-dummy-app-no-limits-8747c8f86-mrskd 100m +dummy-9-dummy-app-5bc88c8dc-dnl58 800m 1 +dummy-9-dummy-app-high-resource-bb5c9d85d-58852 500m 1 +dummy-9-dummy-app-no-limits-6fd77c8bf7-pz7k6 100m +test-high-dummy-app-67fc48c4d5-8hzhz 150m 300m +test-high-dummy-app-high-resource-5d5d5d89f4-bxlkh 150m 300m +test-high-dummy-app-no-limits-684b5fd5d7-qmvlt 150m 300m +test-low-dummy-app-56d6785ff9-gx4vq 150m 300m +test-low-dummy-app-high-resource-68578fbfb-lrr5m 150m 300m +test-low-dummy-app-no-limits-585ff56bfc-j7tnn 150m 300m +``` + +16:54:52 [INFO] 전체 테스트 완료 +16:54:52 [INFO] 리포트가 kyverno-test-report-20250531-165306.md 에 저장되었습니다 diff --git a/k3-kyverno-test/kyverno-test-report-20250531-165721.md b/k3-kyverno-test/kyverno-test-report-20250531-165721.md new file mode 100644 index 0000000..6eec0bf --- /dev/null +++ b/k3-kyverno-test/kyverno-test-report-20250531-165721.md @@ -0,0 +1,147 @@ +# Kyverno 테스트 리포트 + +**테스트 시작 시간**: 2025-05-31 16:57:21 +**테스트 환경**: k3s 클러스터 +**목적**: CPU 리소스 요청/제한에 대한 Kyverno 정책 효과 검증 + +## 테스트 개요 + +1. 더미 앱 15개 배포하여 노드 리소스 50-60% 사용 +2. Kyverno 정책 배포 (CPU 제한을 300m으로 제한) +3. 정책 효과 확인 +4. 리소스 사용량 변화 측정 + +--- + +## 디렉토리 구조 + +``` +/home/dongdorrong/github/private/kubernetes/k3-kyverno-test/ +├── dummy-app/ # Helm 차트 +│ ├── Chart.yaml +│ ├── values.yaml +│ └── templates/ +├── kyverno/ # Kyverno Helm 차트 +├── kyverno-policy/ # 정책 파일들 +├── simple-test.sh # 기본 테스트 스크립트 +└── test-with-report.sh # 리포트 생성 스크립트 +``` + +--- + +16:57:21 [INFO] 리소스 정리 + +## 리소스 정리 + +**정리 시작 시간**: 2025-05-31 16:57:21 + +16:57:23 [INFO] 정리 완료 +✅ 모든 리소스 정리 완료 + +## 정리 후 노드 상태 + +**시간**: 2025-05-31 16:57:23 + +### 노드 기본 정보 +``` +NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME +dongdorrong Ready control-plane,master 66m v1.32.5+k3s1 172.25.237.158 Ubuntu 24.04.2 LTS 5.15.153.1-microsoft-standard-WSL2 containerd://2.0.5-k3s1.32 +``` + +### 리소스 할당 현황 +``` +Allocated resources: + (Total limits may be over 100 percent, i.e., overcommitted.) + Resource Requests Limits + -------- -------- ------ + cpu 19700m (82%) 27900m (116%) + memory 13644Mi (85%) 23466Mi (147%) + ephemeral-storage 0 (0%) 0 (0%) + hugepages-1Gi 0 (0%) 0 (0%) + hugepages-2Mi 0 (0%) 0 (0%) +Events: +``` + +### 현재 실행 중인 파드 +``` +NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES +default dummy-10-dummy-app-5b9d6b9d47-pztgp 1/1 Running 0 3m27s 10.42.0.95 dongdorrong +default dummy-10-dummy-app-high-resource-68d77bb57d-6bhgm 1/1 Running 0 3m27s 10.42.0.94 dongdorrong +default dummy-10-dummy-app-no-limits-5dc8c9448f-stv95 1/1 Running 0 3m27s 10.42.0.96 dongdorrong +default dummy-11-dummy-app-bb588988-zrx72 1/1 Running 0 3m25s 10.42.0.97 dongdorrong +default dummy-11-dummy-app-high-resource-6dc87bdb5f-fsvtw 1/1 Running 0 3m25s 10.42.0.98 dongdorrong +default dummy-11-dummy-app-no-limits-7d7b4b8b7b-g4x7x 1/1 Running 0 3m25s 10.42.0.99 dongdorrong +default dummy-12-dummy-app-55fbfb5-mw6p8 1/1 Running 0 3m22s 10.42.0.102 dongdorrong +default dummy-12-dummy-app-high-resource-b59d6d9cb-9jbrn 1/1 Running 0 3m22s 10.42.0.100 dongdorrong +default dummy-12-dummy-app-no-limits-5f9bbff575-fv6wt 1/1 Running 0 3m22s 10.42.0.101 dongdorrong +default dummy-13-dummy-app-687fdbfc86-hnqcv 1/1 Running 0 3m10s 10.42.0.103 dongdorrong +default dummy-13-dummy-app-high-resource-7ccf69964f-7sq7g 1/1 Running 0 3m10s 10.42.0.105 dongdorrong +default dummy-13-dummy-app-no-limits-b8849b8c4-22cc4 1/1 Running 0 3m10s 10.42.0.104 dongdorrong +default dummy-14-dummy-app-5f8557f555-b58vp 1/1 Running 0 3m8s 10.42.0.108 dongdorrong +default dummy-14-dummy-app-high-resource-5f94b776b6-7dxjr 1/1 Running 0 3m8s 10.42.0.106 dongdorrong +default dummy-14-dummy-app-no-limits-7cc7f549c7-6w2zb 1/1 Running 0 3m8s 10.42.0.107 dongdorrong +default dummy-15-dummy-app-fc75f544-kbfk8 1/1 Running 0 2m55s 10.42.0.109 dongdorrong +default dummy-15-dummy-app-high-resource-5df6d8f9bc-7ktkw 1/1 Running 0 2m55s 10.42.0.110 dongdorrong +default dummy-15-dummy-app-no-limits-55884ff8d4-qjft5 1/1 Running 0 2m55s 10.42.0.111 dongdorrong +default dummy-3-dummy-app-7d454fc9df-ncmnh 1/1 Running 0 4m12s 10.42.0.75 dongdorrong +default dummy-3-dummy-app-high-resource-79f8474f9b-wltpv 1/1 Running 0 4m12s 10.42.0.73 dongdorrong +default dummy-3-dummy-app-no-limits-7d88889b8c-kt9nd 1/1 Running 0 4m12s 10.42.0.74 dongdorrong +default dummy-4-dummy-app-76bd767bdb-k5bvh 1/1 Running 0 4m 10.42.0.77 dongdorrong +default dummy-4-dummy-app-high-resource-75f7f978b9-nrhv4 1/1 Running 0 4m 10.42.0.76 dongdorrong +default dummy-4-dummy-app-no-limits-745dcfd6f4-vnsgm 1/1 Running 0 4m 10.42.0.78 dongdorrong +default dummy-5-dummy-app-7c8f496b87-66lf8 1/1 Running 0 3m58s 10.42.0.81 dongdorrong +default dummy-5-dummy-app-high-resource-6b56c9d4b-nrzjq 1/1 Running 0 3m58s 10.42.0.80 dongdorrong +default dummy-5-dummy-app-no-limits-6585655dd5-68bhm 1/1 Running 0 3m58s 10.42.0.79 dongdorrong +default dummy-6-dummy-app-5784d4cf8d-t4b6l 1/1 Running 0 3m56s 10.42.0.82 dongdorrong +default dummy-6-dummy-app-high-resource-5fbcfb9d87-hlsq6 1/1 Running 0 3m56s 10.42.0.83 dongdorrong +default dummy-6-dummy-app-no-limits-b4668c7d4-p599c 1/1 Running 0 3m56s 10.42.0.84 dongdorrong +default dummy-7-dummy-app-859545ccb5-9n2k4 1/1 Running 0 3m44s 10.42.0.87 dongdorrong +default dummy-7-dummy-app-high-resource-b564dcc56-kmcjb 1/1 Running 0 3m44s 10.42.0.85 dongdorrong +default dummy-7-dummy-app-no-limits-8fccc6b47-s4n8w 1/1 Running 0 3m44s 10.42.0.86 dongdorrong +default dummy-8-dummy-app-68d46566f4-m5smz 1/1 Running 0 3m41s 10.42.0.88 dongdorrong +default dummy-8-dummy-app-high-resource-85c77b5bf7-hhrq7 1/1 Running 0 3m41s 10.42.0.90 dongdorrong +default dummy-8-dummy-app-no-limits-8747c8f86-mrskd 1/1 Running 0 3m41s 10.42.0.89 dongdorrong +default dummy-9-dummy-app-5bc88c8dc-dnl58 1/1 Running 0 3m39s 10.42.0.92 dongdorrong +default dummy-9-dummy-app-high-resource-bb5c9d85d-58852 1/1 Running 0 3m39s 10.42.0.91 dongdorrong +default dummy-9-dummy-app-no-limits-6fd77c8bf7-pz7k6 1/1 Running 0 3m39s 10.42.0.93 dongdorrong +default test-high-dummy-app-67fc48c4d5-8hzhz 1/1 Running 0 2m47s 10.42.0.114 dongdorrong +default test-high-dummy-app-high-resource-5d5d5d89f4-bxlkh 1/1 Running 0 2m47s 10.42.0.112 dongdorrong +default test-high-dummy-app-no-limits-684b5fd5d7-qmvlt 1/1 Running 0 2m47s 10.42.0.113 dongdorrong +default test-low-dummy-app-56d6785ff9-gx4vq 1/1 Running 0 2m44s 10.42.0.115 dongdorrong +default test-low-dummy-app-high-resource-68578fbfb-lrr5m 1/1 Running 0 2m44s 10.42.0.117 dongdorrong +default test-low-dummy-app-no-limits-585ff56bfc-j7tnn 1/1 Running 0 2m44s 10.42.0.116 dongdorrong +kube-system coredns-697968c856-jqj2s 1/1 Running 0 66m 10.42.0.4 dongdorrong +kube-system helm-install-traefik-97g6p 0/1 Completed 1 66m 10.42.0.5 dongdorrong +kube-system helm-install-traefik-crd-mjljj 0/1 Completed 0 66m 10.42.0.6 dongdorrong +kube-system local-path-provisioner-774c6665dc-882j7 1/1 Running 0 66m 10.42.0.3 dongdorrong +kube-system metrics-server-6f4c6675d5-9tgjj 1/1 Running 0 66m 10.42.0.2 dongdorrong +kube-system svclb-traefik-c082f6f0-qrfdz 2/2 Running 0 66m 10.42.0.7 dongdorrong +kube-system traefik-c98fdf6fb-g9nvs 1/1 Running 0 66m 10.42.0.8 dongdorrong +kyverno kyverno-admission-controller-6d55595bd5-d44p4 1/1 Running 0 54m 10.42.0.9 dongdorrong +kyverno kyverno-background-controller-5fccfb6b67-x8726 1/1 Running 0 54m 10.42.0.12 dongdorrong +kyverno kyverno-cleanup-controller-6867df796b-zj9tz 1/1 Running 0 54m 10.42.0.11 dongdorrong +kyverno kyverno-reports-controller-565dc659dd-mkhmh 1/1 Running 0 54m 10.42.0.10 dongdorrong +``` + +### 실시간 리소스 사용량 +``` +NAME CPU(cores) CPU(%) MEMORY(bytes) MEMORY(%) +dongdorrong 265m 1% 3755Mi 23% +``` + +--- + + +--- + +## 테스트 완료 + +**테스트 종료 시간**: 2025-05-31 16:57:23 +**리포트 파일**: kyverno-test-report-20250531-165721.md + +### 요약 +- 더미 앱 배포를 통한 노드 리소스 사용량 증가 확인 +- Kyverno 정책을 통한 CPU 제한 제어 확인 +- 정책 적용 전후 리소스 사용량 변화 측정 + +16:57:23 [INFO] 리포트가 kyverno-test-report-20250531-165721.md 에 저장되었습니다 diff --git a/k3-kyverno-test/kyverno/Chart.lock b/k3-kyverno-test/kyverno/Chart.lock new file mode 100644 index 0000000..5cde9d0 --- /dev/null +++ b/k3-kyverno-test/kyverno/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: grafana + repository: "" + version: 3.4.1 +- name: crds + repository: "" + version: 3.4.1 +digest: sha256:3d2f7b50b356e76cded3843a17ea5b83ca08b40b7cbda5f6ec621473f986459a +generated: "2025-04-30T14:55:51.216823113Z" diff --git a/k3-kyverno-test/kyverno/Chart.yaml b/k3-kyverno-test/kyverno/Chart.yaml new file mode 100644 index 0000000..1fb2a96 --- /dev/null +++ b/k3-kyverno-test/kyverno/Chart.yaml @@ -0,0 +1,45 @@ +annotations: + artifacthub.io/changes: | + - kind: added + description: Add toggle for enabeling/disabling aggregating the user-facing roles with the kyverno rbac. + artifacthub.io/links: | + - name: Documentation + url: https://kyverno.io/docs + artifacthub.io/operator: "false" + artifacthub.io/prerelease: "false" +apiVersion: v2 +appVersion: v1.14.1 +dependencies: +- condition: grafana.enabled + name: grafana + repository: "" + version: 3.4.1 +- condition: crds.install + name: crds + repository: "" + version: 3.4.1 +description: Kubernetes Native Policy Management +home: https://kyverno.io/ +icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png +keywords: +- kubernetes +- nirmata +- policy agent +- policy +- validating webhook +- admission controller +- mutation +- mutate +- validate +- generate +- supply chain +- security +kubeVersion: '>=1.25.0-0' +maintainers: +- name: Nirmata + url: https://kyverno.io/ +name: kyverno +sources: +- https://github.com/kyverno/kyverno +type: application +version: 3.4.1 diff --git a/k3-kyverno-test/kyverno/README.md b/k3-kyverno-test/kyverno/README.md new file mode 100644 index 0000000..adfb0b7 --- /dev/null +++ b/k3-kyverno-test/kyverno/README.md @@ -0,0 +1,880 @@ +# kyverno + +Kubernetes Native Policy Management + +![Version: 3.4.1](https://img.shields.io/badge/Version-3.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.14.1](https://img.shields.io/badge/AppVersion-v1.14.1-informational?style=flat-square) + +## About + +[Kyverno](https://kyverno.io) is a Kubernetes Native Policy Management engine. + +It allows you to: +- Manage policies as Kubernetes resources (no new language required.) +- Validate, mutate, and generate resource configurations. +- Select resources based on labels and wildcards. +- View policy enforcement as events. +- Scan existing resources for violations. + +This chart bootstraps a Kyverno deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Access the complete user documentation and guides at: https://kyverno.io. + +## Installing the Chart + +**IMPORTANT IMPORTANT IMPORTANT IMPORTANT** + +This chart changed significantly between `v2` and `v3`. If you are upgrading from `v2`, please read `Migrating from v2 to v3` section. + +**Add the Kyverno Helm repository:** + +```console +$ helm repo add kyverno https://kyverno.github.io/kyverno/ +``` + +**Create a namespace:** + +You can install Kyverno in any namespace. The examples use `kyverno` as the namespace. + +```console +$ kubectl create namespace kyverno +``` + +**Install the Kyverno chart:** + +```console +$ helm install kyverno --namespace kyverno kyverno/kyverno +``` + +The command deploys Kyverno on the Kubernetes cluster with default configuration. The [installation](https://kyverno.io/docs/installation/) guide lists the parameters that can be configured during installation. + +The Kyverno ClusterRole/ClusterRoleBinding that manages webhook configurations must have the suffix `:webhook`. Ex., `*:webhook` or `kyverno:webhook`. +Other ClusterRole/ClusterRoleBinding names are configurable. + +**Notes on using ArgoCD:** + +When deploying this chart with ArgoCD you will need to enable `Replace` in the `syncOptions`, and you probably want to ignore diff in aggregated cluster roles. + +You can do so by following instructions in these pages of ArgoCD documentation: +- [Enable Replace in the syncOptions](https://argo-cd.readthedocs.io/en/stable/user-guide/sync-options/#replace-resource-instead-of-applying-changes) +- [Ignore diff in aggregated cluster roles](https://argo-cd.readthedocs.io/en/stable/user-guide/diffing/#ignoring-rbac-changes-made-by-aggregateroles) + +ArgoCD uses helm only for templating but applies the results with `kubectl`. + +Unfortunately `kubectl` adds metadata that will cross the limit allowed by Kubernetes. Using `Replace` overcomes this limitation. + +Another option is to use server side apply, this will be supported in ArgoCD v2.5. + +Finally, we introduced new CRDs in 1.8 to manage resource-level reports. Those reports are associated with parent resources using an `ownerReference` object. + +As a consequence, ArgoCD will show those reports in the UI, but as they are managed dynamically by Kyverno it can pollute your dashboard. + +You can tell ArgoCD to ignore reports globally by adding them under the `resource.exclusions` stanza in the ArgoCD ConfigMap. + +```yaml + resource.exclusions: | + - apiGroups: + - kyverno.io + kinds: + - AdmissionReport + - BackgroundScanReport + - ClusterAdmissionReport + - ClusterBackgroundScanReport + clusters: + - '*' +``` + +Below is an example of ArgoCD Application manifest that should work with this chart. + +```yaml +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kyverno + namespace: argocd +spec: + destination: + namespace: kyverno + server: https://kubernetes.default.svc + project: default + source: + chart: kyverno + repoURL: https://kyverno.github.io/kyverno + targetRevision: 2.6.0 + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - Replace=true +``` + +**Notes on using Azure Kubernetes Service (AKS):** + +AKS contains a component known as [Admission Enforcer](https://learn.microsoft.com/en-us/azure/aks/faq#can-admission-controller-webhooks-impact-kube-system-and-internal-aks-namespaces) which will attempt to modify Kyverno's webhooks if not excluded explicitly during Helm installation. If Admissions Enforcer is not disabled, this can lead to several symptoms such as high observed CPU usage and potentially cluster instability. Please see the Kyverno documentation [here](https://kyverno.io/docs/installation/platform-notes/#notes-for-aks-users) for more information and how to set this annotation on webhooks. + +## Migrating from v2 to v3 + +Direct upgrades from v2 of the Helm chart to v3 are not supported due to the number of breaking changes and manual intervention is required. Review and select an option after carefully reading below. Because either method requires down time, an upgrade should only be performed during a maintenance window. Regardless of the chosen option, please read all release notes very carefully to understand the full extent of changes brought by Kyverno 1.10. Release notes can be found at https://github.com/kyverno/kyverno/releases. + +**IMPORTANT NOTE**: If you currently use [clone-type](https://kyverno.io/docs/writing-policies/generate/#clone-source) generate rules with synchronization enabled, please do not upgrade to 1.10.0 as there is a bug which may prevent synchronization from occurring on all downstream (generated) resources when the source is updated. Please wait for a future patch where this should be resolved. See [issue 7170](https://github.com/kyverno/kyverno/issues/7170) for further details. + +### Option 1 - Uninstallation and Reinstallation + +The first option for upgrading, which is the recommended option, involves backing up Kyverno policy resources, uninstalling Kyverno, and reinstalling with v3 of the chart. Policy Reports for policies which have background mode enabled will be regenerated upon the next scan interval. + +**Pros** + +* Reduced complexity with minimal effort +* Allows re-checking older policies against new validation webhooks in 1.10 + +**Cons** + +* Policy Reports which contained results only from admission mode and from policies/rules where background scans were disabled will be lost. +* Requires additional steps if data-type generate rules are used + +Follow the procedure below. + +1. READ THE COMPLETE RELEASE NOTES FIRST +2. Backup and export all Kyverno policy resources to a YAML manifest. Use the command `kubectl get pol,cpol,cleanpol,ccleanpol,polex -A -o yaml > kyvernobackup.yaml`. + 1. Before performing this step, if you use [data-type](https://kyverno.io/docs/writing-policies/generate/#data-source) generate rules with synchronization enabled (`generate.synchronize: true`) disable synchronization first (set `generate.synchronize: false`). If you do not perform this step first, uninstallation of Kyverno in the subsequent step, which removes all policies, will result in deletion of generated resources. +3. Uninstall your current version of Kyverno. +4. Review the [New Chart Values](#new-chart-values) section and translate your desired features and configurations to the new format. +5. Install the v3 chart with Kyverno 1.10. +6. Restore your Kyverno policies. Use the command `kubectl create -f kyvernobackup.yaml`. + 1. Before performing this step, if step 2.1 applied to you, enable synchronization (set `generate.synchronize: true`) AND add the field `spec.generateExisting: true`. This will cause existing, generated resources to be refreshed with the new labeling system used by Kyverno 1.10. Note that this may increment the `resourceVersion` field on all downstream resources. Also, understand that when re-installing these policies with `spec.generateExisting: true`, it could result in additional resources being created at that moment based upon the current match defined in the policy. You may need to further refine the match/exclude blocks of your rules to account for this. + +### Option 2 - Scale to Zero + +In the second option, Kyverno policies do not have to be backed up however you perform more manual work in order to prepare for the upgrade to chart v3. + +**Pros** + +* Policy Reports which contained results from admission mode will be preserved +* Kyverno policies do not need to be backed up first + +**Cons** + +* Older policies will not be revalidated for correctness according to the breaking schema changes. Some policies may not work as they did before. +* Requires additional steps if data-type generate rules are used + +Follow the procedure below. + +1. READ THE COMPLETE RELEASE NOTES FIRST +2. Scale the `kyverno` Deployment to zero replicas. +3. If coming from 1.9 and you have installed the cleanup controller, scale the `kyverno-cleanup-controller` Deployment to zero replicas. +4. If step 3 applied to you, now delete the cleanup Deployment. +5. Review the [New Chart Values](#new-chart-values) section and translate your desired features and configurations to the new format. +6. Upgrade to the v3 chart by passing the mandatory flag `upgrade.fromV2=true`. +7. If you use [data-type](https://kyverno.io/docs/writing-policies/generate/#data-source) generate rules with synchronization enabled (`generate.synchronize: true`), after the upgrade modify those policies to add the field `spec.generateExisting: true`. This will cause existing, generated resources to be refreshed with the new labeling system used by Kyverno 1.10. Note that this may increment the `resourceVersion` field on all downstream resources. Also, understand that when making this modification, it could result in additional resources being created at that moment based upon the current match defined in the policy. You may need to further refine the match/exclude blocks of your rules to account for this. + +### New Chart Values + +In `v3` chart values changed significantly, please read the instructions below to migrate your values: + +- `config.metricsConfig` is now `metricsConfig` +- `resourceFiltersExcludeNamespaces` has been replaced with `config.resourceFiltersExcludeNamespaces` +- `excludeKyvernoNamespace` has been replaced with `config.excludeKyvernoNamespace` +- `config.existingConfig` has been replaced with `config.create` and `config.name` to __support bring your own config__ +- `config.existingMetricsConfig` has been replaced with `metricsConfig.create` and `metricsConfig.name` to __support bring your own config__ +- `namespace` has been renamed `namespaceOverride` +- `installCRDs` has been replaced with `crds.install` +- `testImage` has been replaced with `test.image` +- `testResources` has been replaced with `test.resources` +- `testSecurityContext` has been replaced with `test.securityContext` +- `replicaCount` has been replaced with `admissionController.replicas` +- `updateStrategy` has been replaced with `admissionController.updateStrategy` +- `priorityClassName` has been replaced with `admissionController.priorityClassName` +- `hostNetwork` has been replaced with `admissionController.hostNetwork` +- `dnsPolicy` has been replaced with `admissionController.dnsPolicy` +- `nodeSelector` has been replaced with `admissionController.nodeSelector` +- `tolerations` has been replaced with `admissionController.tolerations` +- `topologySpreadConstraints` has been replaced with `admissionController.topologySpreadConstraints` +- `podDisruptionBudget` has been replaced with `admissionController.podDisruptionBudget` +- `antiAffinity` has been replaced with `admissionController.antiAffinity` +- `antiAffinity.enable` has been replaced with `admissionController.antiAffinity.enabled` +- `podAntiAffinity` has been replaced with `admissionController.podAntiAffinity` +- `podAffinity` has been replaced with `admissionController.podAffinity` +- `nodeAffinity` has been replaced with `admissionController.nodeAffinity` +- `startupProbe` has been replaced with `admissionController.startupProbe` +- `livenessProbe` has been replaced with `admissionController.livenessProbe` +- `readinessProbe` has been replaced with `admissionController.readinessProbe` +- `createSelfSignedCert` has been replaced with `admissionController.createSelfSignedCert` +- `serviceMonitor` has been replaced with `admissionController.serviceMonitor` +- `podSecurityContext` has been replaced with `admissionController.podSecurityContext` +- `tufRootMountPath` has been replaced with `admissionController.tufRootMountPath` +- `sigstoreVolume` has been replaced with `admissionController.sigstoreVolume` +- `initImage` has been replaced with `admissionController.initContainer.image` +- `initResources` has been replaced with `admissionController.initContainer.resources` +- `image` has been replaced with `admissionController.container.image` +- `image.pullSecrets` has been replaced with `admissionController.imagePullSecrets` +- `resources` has been replaced with `admissionController.container.resources` +- `service` has been replaced with `admissionController.service` +- `metricsService` has been replaced with `admissionController.metricsService` +- `initContainer.extraArgs` has been replaced with `admissionController.initContainer.extraArgs` +- `envVarsInit` has been replaced with `admissionController.initContainer.extraEnvVars` +- `envVars` has been replaced with `admissionController.container.extraEnvVars` +- `extraArgs` has been replaced with `admissionController.container.extraArgs` +- `extraInitContainers` has been replaced with `admissionController.extraInitContainers` +- `extraContainers` has been replaced with `admissionController.extraContainers` +- `podLabels` has been replaced with `admissionController.podLabels` +- `podAnnotations` has been replaced with `admissionController.podAnnotations` +- `securityContext` has been replaced with `admissionController.container.securityContext` and `admissionController.initContainer.securityContext` +- `rbac` has been replaced with `admissionController.rbac` +- `generatecontrollerExtraResources` has been replaced with `admissionController.rbac.clusterRole.extraResources` +- `networkPolicy` has been replaced with `admissionController.networkPolicy` +- all `extraArgs` now use objects instead of arrays +- logging, tracing and metering are now configured using `*Controller.logging`, `*Controller.tracing` and `*Controller.metering` + +- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above. + +- Image tags are now validated and must be strings, if you use image tags in the `1.35` form please add quotes around the tag value. + +- Image references are now using the `registry` setting, if you override the registry or repository fields please use `registry` (`--set image.registry=ghcr.io --set image.repository=kyverno/kyverno` instead of `--set image.repository=ghcr.io/kyverno/kyverno`). + +- Admission controller `Deployment` name changed from `kyverno` to `kyverno-admission-controller`. +- `config.excludeUsername` was renamed to `config.excludeUsernames` +- `config.excludeGroupRole` was renamed to `config.excludeGroups` + +Hardcoded defaults for `config.excludeGroups` and `config.excludeUsernames` have been removed, please review those fields if you provide your own exclusions. + +## Uninstalling the Chart + +To uninstall/delete the `kyverno` deployment: + +```console +$ helm delete -n kyverno kyverno +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Values + +The chart values are organised per component. + +### Custom resource definitions + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| crds.install | bool | `true` | Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created | +| crds.groups.kyverno | object | `{"cleanuppolicies":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true,"validatingpolicies":true}` | Install CRDs in group `kyverno.io` | +| crds.groups.policies | object | `{"imagevalidatingpolicies":true,"policyexceptions":true,"validatingpolicies":true}` | Install CRDs in group `policies.kyverno.io` | +| crds.groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | Install CRDs in group `reports.kyverno.io` | +| crds.groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | Install CRDs in group `wgpolicyk8s.io` | +| crds.annotations | object | `{}` | Additional CRDs annotations | +| crds.customLabels | object | `{}` | Additional CRDs labels | +| crds.migration.enabled | bool | `true` | Enable CRDs migration using helm post upgrade hook | +| crds.migration.resources | list | `["cleanuppolicies.kyverno.io","clustercleanuppolicies.kyverno.io","clusterpolicies.kyverno.io","globalcontextentries.kyverno.io","policies.kyverno.io","policyexceptions.kyverno.io","updaterequests.kyverno.io"]` | Resources to migrate | +| crds.migration.image.registry | string | `nil` | Image registry | +| crds.migration.image.defaultRegistry | string | `"reg.kyverno.io"` | | +| crds.migration.image.repository | string | `"kyverno/kyverno-cli"` | Image repository | +| crds.migration.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | +| crds.migration.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| crds.migration.imagePullSecrets | list | `[]` | Image pull secrets | +| crds.migration.podSecurityContext | object | `{}` | Security context for the pod | +| crds.migration.nodeSelector | object | `{}` | Node labels for pod assignment | +| crds.migration.tolerations | list | `[]` | List of node taints to tolerate | +| crds.migration.podAntiAffinity | object | `{}` | Pod anti affinity constraints. | +| crds.migration.podAffinity | object | `{}` | Pod affinity constraints. | +| crds.migration.podLabels | object | `{}` | Pod labels. | +| crds.migration.podAnnotations | object | `{}` | Pod annotations. | +| crds.migration.nodeAffinity | object | `{}` | Node affinity constraints. | +| crds.migration.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers | +| crds.migration.podResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | +| crds.migration.podResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | + +### Config + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| config.create | bool | `true` | Create the configmap. | +| config.preserve | bool | `true` | Preserve the configmap settings during upgrade. | +| config.name | string | `nil` | The configmap name (required if `create` is `false`). | +| config.annotations | object | `{}` | Additional annotations to add to the configmap. | +| config.enableDefaultRegistryMutation | bool | `true` | Enable registry mutation for container images. Enabled by default. | +| config.defaultRegistry | string | `"docker.io"` | The registry hostname used for the image mutation. | +| config.excludeGroups | list | `["system:nodes"]` | Exclude groups | +| config.excludeUsernames | list | `[]` | Exclude usernames | +| config.excludeRoles | list | `[]` | Exclude roles | +| config.excludeClusterRoles | list | `[]` | Exclude roles | +| config.generateSuccessEvents | bool | `false` | Generate success events. | +| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. | +| config.updateRequestThreshold | int | `1000` | Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies. | +| config.webhooks | object | `{"namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]}]}}` | Defines the `namespaceSelector`/`objectSelector` in the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) | +| config.webhookAnnotations | object | `{"admissions.enforcer/disabled":"true"}` | Defines annotations to set on webhook configurations. | +| config.webhookLabels | object | `{}` | Defines labels to set on webhook configurations. | +| config.matchConditions | list | `[]` | Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+). | +| config.excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters | +| config.resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters | +| config.resourceFiltersExclude | list | `[]` | resourceFilters exclude list Items to exclude from config.resourceFilters | +| config.resourceFiltersIncludeNamespaces | list | `[]` | resourceFilter namespace include Namespaces to include to the default resourceFilters | +| config.resourceFiltersInclude | list | `[]` | resourceFilters include list Items to include to config.resourceFilters | + +### Metrics config + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| metricsConfig.create | bool | `true` | Create the configmap. | +| metricsConfig.name | string | `nil` | The configmap name (required if `create` is `false`). | +| metricsConfig.annotations | object | `{}` | Additional annotations to add to the configmap. | +| metricsConfig.namespaces.include | list | `[]` | List of namespaces to capture metrics for. | +| metricsConfig.namespaces.exclude | list | `[]` | list of namespaces to NOT capture metrics for. | +| metricsConfig.metricsRefreshInterval | string | `nil` | Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics. WARNING: This flag is not working since Kyverno 1.8.0 | +| metricsConfig.bucketBoundaries | list | `[0.005,0.01,0.025,0.05,0.1,0.25,0.5,1,2.5,5,10,15,20,25,30]` | Configures the bucket boundaries for all Histogram metrics, changing this configuration requires restart of the kyverno admission controller | +| metricsConfig.metricsExposure | map | `{"kyverno_admission_requests_total":{"disabledLabelDimensions":["resource_namespace"]},"kyverno_admission_review_duration_seconds":{"disabledLabelDimensions":["resource_namespace"]},"kyverno_cleanup_controller_deletedobjects_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]},"kyverno_policy_execution_duration_seconds":{"disabledLabelDimensions":["resource_namespace","resource_request_operation"]},"kyverno_policy_results_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]},"kyverno_policy_rule_info_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]}}` | Configures the exposure of individual metrics, by default all metrics and all labels are exported, changing this configuration requires restart of the kyverno admission controller | + +### Features + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| features.admissionReports.enabled | bool | `true` | Enables the feature | +| features.aggregateReports.enabled | bool | `true` | Enables the feature | +| features.policyReports.enabled | bool | `true` | Enables the feature | +| features.validatingAdmissionPolicyReports.enabled | bool | `false` | Enables the feature | +| features.reporting.validate | bool | `true` | Enables the feature | +| features.reporting.mutate | bool | `true` | Enables the feature | +| features.reporting.mutateExisting | bool | `true` | Enables the feature | +| features.reporting.imageVerify | bool | `true` | Enables the feature | +| features.reporting.generate | bool | `true` | Enables the feature | +| features.autoUpdateWebhooks.enabled | bool | `true` | Enables the feature | +| features.backgroundScan.enabled | bool | `true` | Enables the feature | +| features.backgroundScan.backgroundScanWorkers | int | `2` | Number of background scan workers | +| features.backgroundScan.backgroundScanInterval | string | `"1h"` | Background scan interval | +| features.backgroundScan.skipResourceFilters | bool | `true` | Skips resource filters in background scan | +| features.configMapCaching.enabled | bool | `true` | Enables the feature | +| features.deferredLoading.enabled | bool | `true` | Enables the feature | +| features.dumpPayload.enabled | bool | `false` | Enables the feature | +| features.forceFailurePolicyIgnore.enabled | bool | `false` | Enables the feature | +| features.generateValidatingAdmissionPolicy.enabled | bool | `false` | Enables the feature | +| features.dumpPatches.enabled | bool | `false` | Enables the feature | +| features.globalContext.maxApiCallResponseLength | int | `2000000` | Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended) | +| features.logging.format | string | `"text"` | Logging format | +| features.logging.verbosity | int | `2` | Logging verbosity | +| features.omitEvents.eventTypes | list | `["PolicyApplied","PolicySkipped"]` | Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`) | +| features.policyExceptions.enabled | bool | `false` | Enables the feature | +| features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace Set to "*" to allow exceptions in all namespaces | +| features.protectManagedResources.enabled | bool | `false` | Enables the feature | +| features.registryClient.allowInsecure | bool | `false` | Allow insecure registry | +| features.registryClient.credentialHelpers | list | `["default","google","amazon","azure","github"]` | Enable registry client helpers | +| features.ttlController.reconciliationInterval | string | `"1m"` | Reconciliation interval for the label based cleanup manager | +| features.tuf.enabled | bool | `false` | Enables the feature | +| features.tuf.root | string | `nil` | Path to Tuf root | +| features.tuf.rootRaw | string | `nil` | Raw Tuf root | +| features.tuf.mirror | string | `nil` | Tuf mirror | + +### Admission controller + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| admissionController.autoscaling.enabled | bool | `false` | Enable horizontal pod autoscaling | +| admissionController.autoscaling.minReplicas | int | `1` | Minimum number of pods | +| admissionController.autoscaling.maxReplicas | int | `10` | Maximum number of pods | +| admissionController.autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization percentage | +| admissionController.autoscaling.behavior | object | `{}` | Configurable scaling behavior | +| admissionController.featuresOverride | object | `{"admissionReports":{"backPressureThreshold":1000}}` | Overrides features defined at the root level | +| admissionController.featuresOverride.admissionReports.backPressureThreshold | int | `1000` | Max number of admission reports allowed in flight until the admission controller stops creating new ones | +| admissionController.rbac.create | bool | `true` | Create RBAC resources | +| admissionController.rbac.createViewRoleBinding | bool | `true` | Create rolebinding to view role | +| admissionController.rbac.viewRoleName | string | `"view"` | The view role to use in the rolebinding | +| admissionController.rbac.serviceAccount.name | string | `nil` | The ServiceAccount name | +| admissionController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | +| admissionController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | +| admissionController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | +| admissionController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. | +| admissionController.replicas | int | `nil` | Desired number of pods | +| admissionController.revisionHistoryLimit | int | `10` | The number of revisions to keep | +| admissionController.resyncPeriod | string | `"15m"` | Resync period for informers | +| admissionController.podLabels | object | `{}` | Additional labels to add to each pod | +| admissionController.podAnnotations | object | `{}` | Additional annotations to add to each pod | +| admissionController.annotations | object | `{}` | Deployment annotations. | +| admissionController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | +| admissionController.priorityClassName | string | `""` | Optional priority class | +| admissionController.apiPriorityAndFairness | bool | `false` | Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno admission controller activities. This will help ensure Kyverno stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/ | +| admissionController.priorityLevelConfigurationSpec | object | See [values.yaml](values.yaml) | Priority level configuration. The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want. ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration | +| admissionController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. | +| admissionController.webhookServer | object | `{"port":9443}` | admissionController webhook server port in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to | +| admissionController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. | +| admissionController.dnsConfig | object | `{}` | `dnsConfig` allows to specify DNS configuration for the pod. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config. | +| admissionController.startupProbe | object | See [values.yaml](values.yaml) | Startup probe. The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ | +| admissionController.livenessProbe | object | See [values.yaml](values.yaml) | Liveness probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ | +| admissionController.readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ | +| admissionController.nodeSelector | object | `{}` | Node labels for pod assignment | +| admissionController.tolerations | list | `[]` | List of node taints to tolerate | +| admissionController.antiAffinity.enabled | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. | +| admissionController.podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. | +| admissionController.podAffinity | object | `{}` | Pod affinity constraints. | +| admissionController.nodeAffinity | object | `{}` | Node affinity constraints. | +| admissionController.topologySpreadConstraints | list | `[]` | Topology spread constraints. | +| admissionController.podSecurityContext | object | `{}` | Security context for the pod | +| admissionController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. | +| admissionController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. | +| admissionController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. | +| admissionController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. | +| admissionController.sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. | +| admissionController.caCertificates.data | string | `nil` | CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates | +| admissionController.caCertificates.volume | object | `{}` | Volume to be mounted for CA certificates Not used when `.Values.admissionController.caCertificates.data` is defined | +| admissionController.imagePullSecrets | list | `[]` | Image pull secrets | +| admissionController.initContainer.image.registry | string | `nil` | Image registry | +| admissionController.initContainer.image.defaultRegistry | string | `"reg.kyverno.io"` | | +| admissionController.initContainer.image.repository | string | `"kyverno/kyvernopre"` | Image repository | +| admissionController.initContainer.image.tag | string | `nil` | Image tag If missing, defaults to image.tag | +| admissionController.initContainer.image.pullPolicy | string | `nil` | Image pull policy If missing, defaults to image.pullPolicy | +| admissionController.initContainer.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | +| admissionController.initContainer.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | +| admissionController.initContainer.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context | +| admissionController.initContainer.extraArgs | object | `{}` | Additional container args. | +| admissionController.initContainer.extraEnvVars | list | `[]` | Additional container environment variables. | +| admissionController.container.image.registry | string | `nil` | Image registry | +| admissionController.container.image.defaultRegistry | string | `"reg.kyverno.io"` | | +| admissionController.container.image.repository | string | `"kyverno/kyverno"` | Image repository | +| admissionController.container.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | +| admissionController.container.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| admissionController.container.resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits | +| admissionController.container.resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests | +| admissionController.container.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context | +| admissionController.container.extraArgs | object | `{}` | Additional container args. | +| admissionController.container.extraEnvVars | list | `[]` | Additional container environment variables. | +| admissionController.extraInitContainers | list | `[]` | Array of extra init containers | +| admissionController.extraContainers | list | `[]` | Array of extra containers to run alongside kyverno | +| admissionController.service.port | int | `443` | Service port. | +| admissionController.service.type | string | `"ClusterIP"` | Service type. | +| admissionController.service.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | +| admissionController.service.annotations | object | `{}` | Service annotations. | +| admissionController.metricsService.create | bool | `true` | Create service. | +| admissionController.metricsService.port | int | `8000` | Service port. Kyverno's metrics server will be exposed at this port. | +| admissionController.metricsService.type | string | `"ClusterIP"` | Service type. | +| admissionController.metricsService.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | +| admissionController.metricsService.annotations | object | `{}` | Service annotations. | +| admissionController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. | +| admissionController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. | +| admissionController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. | +| admissionController.serviceMonitor.additionalLabels | object | `{}` | Additional labels | +| admissionController.serviceMonitor.namespace | string | `nil` | Override namespace | +| admissionController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics | +| admissionController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval | +| admissionController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint | +| admissionController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint | +| admissionController.serviceMonitor.relabelings | list | `[]` | RelabelConfigs to apply to samples before scraping | +| admissionController.serviceMonitor.metricRelabelings | list | `[]` | MetricRelabelConfigs to apply to samples before ingestion. | +| admissionController.tracing.enabled | bool | `false` | Enable tracing | +| admissionController.tracing.address | string | `nil` | Traces receiver address | +| admissionController.tracing.port | string | `nil` | Traces receiver port | +| admissionController.tracing.creds | string | `""` | Traces receiver credentials | +| admissionController.metering.disabled | bool | `false` | Disable metrics export | +| admissionController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` | +| admissionController.metering.port | int | `8000` | Prometheus endpoint port | +| admissionController.metering.collector | string | `""` | Otel collector endpoint | +| admissionController.metering.creds | string | `""` | Otel collector credentials | +| admissionController.profiling.enabled | bool | `false` | Enable profiling | +| admissionController.profiling.port | int | `6060` | Profiling endpoint port | +| admissionController.profiling.serviceType | string | `"ClusterIP"` | Service type. | +| admissionController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | + +### Background controller + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| backgroundController.featuresOverride | object | `{}` | Overrides features defined at the root level | +| backgroundController.enabled | bool | `true` | Enable background controller. | +| backgroundController.rbac.create | bool | `true` | Create RBAC resources | +| backgroundController.rbac.createViewRoleBinding | bool | `true` | Create rolebinding to view role | +| backgroundController.rbac.viewRoleName | string | `"view"` | The view role to use in the rolebinding | +| backgroundController.rbac.serviceAccount.name | string | `nil` | Service account name | +| backgroundController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | +| backgroundController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | +| backgroundController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | +| backgroundController.image.registry | string | `nil` | Image registry | +| backgroundController.image.defaultRegistry | string | `"reg.kyverno.io"` | | +| backgroundController.image.repository | string | `"kyverno/background-controller"` | Image repository | +| backgroundController.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | +| backgroundController.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| backgroundController.imagePullSecrets | list | `[]` | Image pull secrets | +| backgroundController.replicas | int | `nil` | Desired number of pods | +| backgroundController.revisionHistoryLimit | int | `10` | The number of revisions to keep | +| backgroundController.resyncPeriod | string | `"15m"` | Resync period for informers | +| backgroundController.podLabels | object | `{}` | Additional labels to add to each pod | +| backgroundController.podAnnotations | object | `{}` | Additional annotations to add to each pod | +| backgroundController.annotations | object | `{}` | Deployment annotations. | +| backgroundController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | +| backgroundController.priorityClassName | string | `""` | Optional priority class | +| backgroundController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. | +| backgroundController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. | +| backgroundController.dnsConfig | object | `{}` | `dnsConfig` allows to specify DNS configuration for the pod. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config. | +| backgroundController.extraArgs | object | `{}` | Extra arguments passed to the container on the command line | +| backgroundController.extraEnvVars | list | `[]` | Additional container environment variables. | +| backgroundController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits | +| backgroundController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests | +| backgroundController.nodeSelector | object | `{}` | Node labels for pod assignment | +| backgroundController.tolerations | list | `[]` | List of node taints to tolerate | +| backgroundController.antiAffinity.enabled | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. | +| backgroundController.podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. | +| backgroundController.podAffinity | object | `{}` | Pod affinity constraints. | +| backgroundController.nodeAffinity | object | `{}` | Node affinity constraints. | +| backgroundController.topologySpreadConstraints | list | `[]` | Topology spread constraints. | +| backgroundController.podSecurityContext | object | `{}` | Security context for the pod | +| backgroundController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | +| backgroundController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. | +| backgroundController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. | +| backgroundController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. | +| backgroundController.caCertificates.data | string | `nil` | CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates | +| backgroundController.caCertificates.volume | object | `{}` | Volume to be mounted for CA certificates Not used when `.Values.backgroundController.caCertificates.data` is defined | +| backgroundController.metricsService.create | bool | `true` | Create service. | +| backgroundController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. | +| backgroundController.metricsService.type | string | `"ClusterIP"` | Service type. | +| backgroundController.metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. | +| backgroundController.metricsService.annotations | object | `{}` | Service annotations. | +| backgroundController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. | +| backgroundController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. | +| backgroundController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. | +| backgroundController.serviceMonitor.additionalLabels | object | `{}` | Additional labels | +| backgroundController.serviceMonitor.namespace | string | `nil` | Override namespace | +| backgroundController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics | +| backgroundController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval | +| backgroundController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint | +| backgroundController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint | +| backgroundController.serviceMonitor.relabelings | list | `[]` | RelabelConfigs to apply to samples before scraping | +| backgroundController.serviceMonitor.metricRelabelings | list | `[]` | MetricRelabelConfigs to apply to samples before ingestion. | +| backgroundController.tracing.enabled | bool | `false` | Enable tracing | +| backgroundController.tracing.address | string | `nil` | Traces receiver address | +| backgroundController.tracing.port | string | `nil` | Traces receiver port | +| backgroundController.tracing.creds | string | `""` | Traces receiver credentials | +| backgroundController.metering.disabled | bool | `false` | Disable metrics export | +| backgroundController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` | +| backgroundController.metering.port | int | `8000` | Prometheus endpoint port | +| backgroundController.metering.collector | string | `""` | Otel collector endpoint | +| backgroundController.metering.creds | string | `""` | Otel collector credentials | +| backgroundController.server | object | `{"port":9443}` | backgroundController server port in case you are using hostNetwork: true, you might want to change the port the backgroundController is listening to | +| backgroundController.profiling.enabled | bool | `false` | Enable profiling | +| backgroundController.profiling.port | int | `6060` | Profiling endpoint port | +| backgroundController.profiling.serviceType | string | `"ClusterIP"` | Service type. | +| backgroundController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | + +### Cleanup controller + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| cleanupController.featuresOverride | object | `{}` | Overrides features defined at the root level | +| cleanupController.enabled | bool | `true` | Enable cleanup controller. | +| cleanupController.rbac.create | bool | `true` | Create RBAC resources | +| cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name | +| cleanupController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | +| cleanupController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | +| cleanupController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. | +| cleanupController.image.registry | string | `nil` | Image registry | +| cleanupController.image.defaultRegistry | string | `"reg.kyverno.io"` | | +| cleanupController.image.repository | string | `"kyverno/cleanup-controller"` | Image repository | +| cleanupController.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | +| cleanupController.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| cleanupController.imagePullSecrets | list | `[]` | Image pull secrets | +| cleanupController.replicas | int | `nil` | Desired number of pods | +| cleanupController.revisionHistoryLimit | int | `10` | The number of revisions to keep | +| cleanupController.resyncPeriod | string | `"15m"` | Resync period for informers | +| cleanupController.podLabels | object | `{}` | Additional labels to add to each pod | +| cleanupController.podAnnotations | object | `{}` | Additional annotations to add to each pod | +| cleanupController.annotations | object | `{}` | Deployment annotations. | +| cleanupController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | +| cleanupController.priorityClassName | string | `""` | Optional priority class | +| cleanupController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. | +| cleanupController.server | object | `{"port":9443}` | cleanupController server port in case you are using hostNetwork: true, you might want to change the port the cleanupController is listening to | +| cleanupController.webhookServer | object | `{"port":9443}` | cleanupController webhook server port in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to | +| cleanupController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. | +| cleanupController.dnsConfig | object | `{}` | `dnsConfig` allows to specify DNS configuration for the pod. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config. | +| cleanupController.extraArgs | object | `{}` | Extra arguments passed to the container on the command line | +| cleanupController.extraEnvVars | list | `[]` | Additional container environment variables. | +| cleanupController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits | +| cleanupController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests | +| cleanupController.startupProbe | object | See [values.yaml](values.yaml) | Startup probe. The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ | +| cleanupController.livenessProbe | object | See [values.yaml](values.yaml) | Liveness probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ | +| cleanupController.readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ | +| cleanupController.nodeSelector | object | `{}` | Node labels for pod assignment | +| cleanupController.tolerations | list | `[]` | List of node taints to tolerate | +| cleanupController.antiAffinity.enabled | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. | +| cleanupController.podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. | +| cleanupController.podAffinity | object | `{}` | Pod affinity constraints. | +| cleanupController.nodeAffinity | object | `{}` | Node affinity constraints. | +| cleanupController.topologySpreadConstraints | list | `[]` | Topology spread constraints. | +| cleanupController.podSecurityContext | object | `{}` | Security context for the pod | +| cleanupController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | +| cleanupController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. | +| cleanupController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. | +| cleanupController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. | +| cleanupController.service.port | int | `443` | Service port. | +| cleanupController.service.type | string | `"ClusterIP"` | Service type. | +| cleanupController.service.nodePort | string | `nil` | Service node port. Only used if `service.type` is `NodePort`. | +| cleanupController.service.annotations | object | `{}` | Service annotations. | +| cleanupController.metricsService.create | bool | `true` | Create service. | +| cleanupController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. | +| cleanupController.metricsService.type | string | `"ClusterIP"` | Service type. | +| cleanupController.metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. | +| cleanupController.metricsService.annotations | object | `{}` | Service annotations. | +| cleanupController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. | +| cleanupController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. | +| cleanupController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. | +| cleanupController.serviceMonitor.additionalLabels | object | `{}` | Additional labels | +| cleanupController.serviceMonitor.namespace | string | `nil` | Override namespace | +| cleanupController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics | +| cleanupController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval | +| cleanupController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint | +| cleanupController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint | +| cleanupController.serviceMonitor.relabelings | list | `[]` | RelabelConfigs to apply to samples before scraping | +| cleanupController.serviceMonitor.metricRelabelings | list | `[]` | MetricRelabelConfigs to apply to samples before ingestion. | +| cleanupController.tracing.enabled | bool | `false` | Enable tracing | +| cleanupController.tracing.address | string | `nil` | Traces receiver address | +| cleanupController.tracing.port | string | `nil` | Traces receiver port | +| cleanupController.tracing.creds | string | `""` | Traces receiver credentials | +| cleanupController.metering.disabled | bool | `false` | Disable metrics export | +| cleanupController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` | +| cleanupController.metering.port | int | `8000` | Prometheus endpoint port | +| cleanupController.metering.collector | string | `""` | Otel collector endpoint | +| cleanupController.metering.creds | string | `""` | Otel collector credentials | +| cleanupController.profiling.enabled | bool | `false` | Enable profiling | +| cleanupController.profiling.port | int | `6060` | Profiling endpoint port | +| cleanupController.profiling.serviceType | string | `"ClusterIP"` | Service type. | +| cleanupController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | + +### Reports controller + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| reportsController.featuresOverride | object | `{}` | Overrides features defined at the root level | +| reportsController.enabled | bool | `true` | Enable reports controller. | +| reportsController.rbac.create | bool | `true` | Create RBAC resources | +| reportsController.rbac.createViewRoleBinding | bool | `true` | Create rolebinding to view role | +| reportsController.rbac.viewRoleName | string | `"view"` | The view role to use in the rolebinding | +| reportsController.rbac.serviceAccount.name | string | `nil` | Service account name | +| reportsController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | +| reportsController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | +| reportsController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | +| reportsController.image.registry | string | `nil` | Image registry | +| reportsController.image.defaultRegistry | string | `"reg.kyverno.io"` | | +| reportsController.image.repository | string | `"kyverno/reports-controller"` | Image repository | +| reportsController.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | +| reportsController.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| reportsController.imagePullSecrets | list | `[]` | Image pull secrets | +| reportsController.replicas | int | `nil` | Desired number of pods | +| reportsController.revisionHistoryLimit | int | `10` | The number of revisions to keep | +| reportsController.resyncPeriod | string | `"15m"` | Resync period for informers | +| reportsController.podLabels | object | `{}` | Additional labels to add to each pod | +| reportsController.podAnnotations | object | `{}` | Additional annotations to add to each pod | +| reportsController.annotations | object | `{}` | Deployment annotations. | +| reportsController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | +| reportsController.priorityClassName | string | `""` | Optional priority class | +| reportsController.apiPriorityAndFairness | bool | `false` | Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno reports controller activities. This will help ensure Kyverno reports stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/ | +| reportsController.priorityLevelConfigurationSpec | object | See [values.yaml](values.yaml) | Priority level configuration. The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want. ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration | +| reportsController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. | +| reportsController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. | +| reportsController.dnsConfig | object | `{}` | `dnsConfig` allows to specify DNS configuration for the pod. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config. | +| reportsController.extraArgs | object | `{}` | Extra arguments passed to the container on the command line | +| reportsController.extraEnvVars | list | `[]` | Additional container environment variables. | +| reportsController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits | +| reportsController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests | +| reportsController.nodeSelector | object | `{}` | Node labels for pod assignment | +| reportsController.tolerations | list | `[]` | List of node taints to tolerate | +| reportsController.antiAffinity.enabled | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. | +| reportsController.podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. | +| reportsController.podAffinity | object | `{}` | Pod affinity constraints. | +| reportsController.nodeAffinity | object | `{}` | Node affinity constraints. | +| reportsController.topologySpreadConstraints | list | `[]` | Topology spread constraints. | +| reportsController.podSecurityContext | object | `{}` | Security context for the pod | +| reportsController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | +| reportsController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. | +| reportsController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. | +| reportsController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. | +| reportsController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. | +| reportsController.sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. | +| reportsController.caCertificates.data | string | `nil` | CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates | +| reportsController.caCertificates.volume | object | `{}` | Volume to be mounted for CA certificates Not used when `.Values.reportsController.caCertificates.data` is defined | +| reportsController.metricsService.create | bool | `true` | Create service. | +| reportsController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. | +| reportsController.metricsService.type | string | `"ClusterIP"` | Service type. | +| reportsController.metricsService.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | +| reportsController.metricsService.annotations | object | `{}` | Service annotations. | +| reportsController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. | +| reportsController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. | +| reportsController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. | +| reportsController.serviceMonitor.additionalLabels | object | `{}` | Additional labels | +| reportsController.serviceMonitor.namespace | string | `nil` | Override namespace | +| reportsController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics | +| reportsController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval | +| reportsController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint | +| reportsController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint | +| reportsController.serviceMonitor.relabelings | list | `[]` | RelabelConfigs to apply to samples before scraping | +| reportsController.serviceMonitor.metricRelabelings | list | `[]` | MetricRelabelConfigs to apply to samples before ingestion. | +| reportsController.tracing.enabled | bool | `false` | Enable tracing | +| reportsController.tracing.address | string | `nil` | Traces receiver address | +| reportsController.tracing.port | string | `nil` | Traces receiver port | +| reportsController.tracing.creds | string | `nil` | Traces receiver credentials | +| reportsController.metering.disabled | bool | `false` | Disable metrics export | +| reportsController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` | +| reportsController.metering.port | int | `8000` | Prometheus endpoint port | +| reportsController.metering.collector | string | `nil` | Otel collector endpoint | +| reportsController.metering.creds | string | `nil` | Otel collector credentials | +| reportsController.server | object | `{"port":9443}` | reportsController server port in case you are using hostNetwork: true, you might want to change the port the reportsController is listening to | +| reportsController.profiling.enabled | bool | `false` | Enable profiling | +| reportsController.profiling.port | int | `6060` | Profiling endpoint port | +| reportsController.profiling.serviceType | string | `"ClusterIP"` | Service type. | +| reportsController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | +| reportsController.sanityChecks | bool | `true` | Enable sanity check for reports CRDs | + +### Grafana + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| grafana.enabled | bool | `false` | Enable grafana dashboard creation. | +| grafana.configMapName | string | `"{{ include \"kyverno.fullname\" . }}-grafana"` | Configmap name template. | +| grafana.namespace | string | `nil` | Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed. | +| grafana.annotations | object | `{}` | Grafana dashboard configmap annotations. | +| grafana.labels | object | `{"grafana_dashboard":"1"}` | Grafana dashboard configmap labels | +| grafana.grafanaDashboard | object | `{"allowCrossNamespaceImport":true,"create":false,"folder":"kyverno","matchLabels":{"dashboards":"grafana"}}` | create GrafanaDashboard custom resource referencing to the configMap. according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/ | + +### Webhooks cleanup + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| webhooksCleanup.enabled | bool | `true` | Create a helm pre-delete hook to cleanup webhooks. | +| webhooksCleanup.autoDeleteWebhooks.enabled | bool | `false` | Allow webhooks controller to delete webhooks using finalizers | +| webhooksCleanup.image.registry | string | `nil` | Image registry | +| webhooksCleanup.image.repository | string | `"bitnami/kubectl"` | Image repository | +| webhooksCleanup.image.tag | string | `"1.32.3"` | Image tag Defaults to `latest` if omitted | +| webhooksCleanup.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | +| webhooksCleanup.imagePullSecrets | list | `[]` | Image pull secrets | +| webhooksCleanup.podSecurityContext | object | `{}` | Security context for the pod | +| webhooksCleanup.nodeSelector | object | `{}` | Node labels for pod assignment | +| webhooksCleanup.tolerations | list | `[]` | List of node taints to tolerate | +| webhooksCleanup.podAntiAffinity | object | `{}` | Pod anti affinity constraints. | +| webhooksCleanup.podAffinity | object | `{}` | Pod affinity constraints. | +| webhooksCleanup.podLabels | object | `{}` | Pod labels. | +| webhooksCleanup.podAnnotations | object | `{}` | Pod annotations. | +| webhooksCleanup.nodeAffinity | object | `{}` | Node affinity constraints. | +| webhooksCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers | +| webhooksCleanup.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | +| webhooksCleanup.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | + +### Test + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| test.sleep | int | `20` | Sleep time before running test | +| test.image.registry | string | `nil` | Image registry | +| test.image.repository | string | `"busybox"` | Image repository | +| test.image.tag | string | `"1.35"` | Image tag Defaults to `latest` if omitted | +| test.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | +| test.imagePullSecrets | list | `[]` | Image pull secrets | +| test.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | +| test.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | +| test.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the test containers | + +### Api version override + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| apiVersionOverride.podDisruptionBudget | string | `nil` | Override api version used to create `PodDisruptionBudget`` resources. When not specified the chart will check if `policy/v1/PodDisruptionBudget` is available to determine the api version automatically. | + +### Other + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.image.registry | string | `nil` | Global value that allows to set a single image registry across all deployments. When set, it will override any values set under `.image.registry` across the chart. | +| global.imagePullSecrets | list | `[]` | Global list of Image pull secrets When set, it will override any values set under `imagePullSecrets` under different components across the chart. | +| global.resyncPeriod | string | `"15m"` | Resync period for informers | +| global.caCertificates.data | string | `nil` | Global CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates Individual controller values will override this global value | +| global.caCertificates.volume | object | `{}` | Global value to set single volume to be mounted for CA certificates for all deployments. Not used when `.Values.global.caCertificates.data` is defined Individual controller values will override this global value | +| global.extraEnvVars | list | `[]` | Additional container environment variables to apply to all containers and init containers | +| global.nodeSelector | object | `{}` | Global node labels for pod assignment. Non-global values will override the global value. | +| global.tolerations | list | `[]` | Global List of node taints to tolerate. Non-global values will override the global value. | +| nameOverride | string | `nil` | Override the name of the chart | +| fullnameOverride | string | `nil` | Override the expanded name of the chart | +| namespaceOverride | string | `nil` | Override the namespace the chart deploys to | +| upgrade.fromV2 | bool | `false` | Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed. | +| rbac.roles.aggregate | object | `{"admin":true,"view":true}` | Aggregate ClusterRoles to Kubernetes default user-facing roles. For more information, see [User-facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) | +| imagePullSecrets | object | `{}` | Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument | +| existingImagePullSecrets | list | `[]` | Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument | +| customLabels | object | `{}` | Additional labels | +| policyReportsCleanup.enabled | bool | `true` | Create a helm post-upgrade hook to cleanup the old policy reports. | +| policyReportsCleanup.image.registry | string | `nil` | Image registry | +| policyReportsCleanup.image.repository | string | `"bitnami/kubectl"` | Image repository | +| policyReportsCleanup.image.tag | string | `"1.32.3"` | Image tag Defaults to `latest` if omitted | +| policyReportsCleanup.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | +| policyReportsCleanup.imagePullSecrets | list | `[]` | Image pull secrets | +| policyReportsCleanup.podSecurityContext | object | `{}` | Security context for the pod | +| policyReportsCleanup.nodeSelector | object | `{}` | Node labels for pod assignment | +| policyReportsCleanup.tolerations | list | `[]` | List of node taints to tolerate | +| policyReportsCleanup.podAntiAffinity | object | `{}` | Pod anti affinity constraints. | +| policyReportsCleanup.podAffinity | object | `{}` | Pod affinity constraints. | +| policyReportsCleanup.podLabels | object | `{}` | Pod labels. | +| policyReportsCleanup.podAnnotations | object | `{}` | Pod annotations. | +| policyReportsCleanup.nodeAffinity | object | `{}` | Node affinity constraints. | +| policyReportsCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers | +| policyReportsCleanup.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | +| policyReportsCleanup.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | + +## TLS Configuration + +If `admissionController.createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the [installation documentation](https://kyverno.io/docs/installation/#option-2-use-your-own-ca-signed-certificate) + +If `admissionController.createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno). + +## Default resource filters + +[Kyverno resource filters](https://kyverno.io/docs/installation/#resource-filters) are a used to exclude resources from the Kyverno engine rules processing. + +This chart comes with default resource filters that apply exclusions on a couple of namespaces and resource kinds: +- all resources in `kube-system`, `kube-public` and `kube-node-lease` namespaces +- all resources in all namespaces for the following resource kinds: + - `Event` + - `Node` + - `APIService` + - `TokenReview` + - `SubjectAccessReview` + - `SelfSubjectAccessReview` + - `Binding` + - `ReplicaSet` + - `AdmissionReport` + - `ClusterAdmissionReport` + - `BackgroundScanReport` + - `ClusterBackgroundScanReport` +- all resources created by this chart itself + +Those default exclusions are there to prevent disruptions as much as possible. +Under the hood, Kyverno installs an admission controller for critical cluster resources. +A cluster can become unresponsive if Kyverno is not up and running, ultimately preventing pods to be scheduled in the cluster. + +You can however override the default resource filters by setting the `config.resourceFilters` stanza. +It contains an array of string templates that are passed through the `tpl` Helm function and joined together to produce the final `resourceFilters` written in the Kyverno config map. + +Please consult the [values.yaml](./values.yaml) file before overriding `config.resourceFilters` and use the apropriate templates to build your desired exclusions list. + +Add entries to `config.resourceFiltersExclude` that you wish to omit from `config.resourceFilters`. + +Add entries to `config.resourceFiltersInclude` that you with to add to `config.resourceFilters`. + +## High availability + +Running a highly-available Kyverno installation is crucial in a production environment. + +In order to run Kyverno in high availability mode, you should set `replicas` to `3` or more for desired components. +You should also pay attention to anti affinity rules, spreading pods across nodes and availability zones. + +Please see https://kyverno.io/docs/installation/#security-vs-operability for more informations. + +## Source Code + +* + +## Requirements + +Kubernetes: `>=1.25.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| | crds | 3.4.1 | +| | grafana | 3.4.1 | + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Nirmata | | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/k3-kyverno-test/kyverno/charts/crds/Chart.yaml b/k3-kyverno-test/kyverno/charts/crds/Chart.yaml new file mode 100644 index 0000000..caa4f69 --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/crds/Chart.yaml @@ -0,0 +1,3 @@ +apiVersion: v2 +name: crds +version: 3.4.1 diff --git a/k3-kyverno-test/kyverno/charts/crds/README.md b/k3-kyverno-test/kyverno/charts/crds/README.md new file mode 100644 index 0000000..c870a24 --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/crds/README.md @@ -0,0 +1,17 @@ +# crds + +![Version: 3.4.1](https://img.shields.io/badge/Version-3.4.1-informational?style=flat-square) + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| groups.kyverno | object | `{"cleanuppolicies":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true}` | This field can be overwritten by setting crds.labels in the parent chart | +| groups.policies | object | `{"imagevalidatingpolicies":true,"policyexceptions":true,"validatingpolicies":true}` | Install CRDs in group `reports.kyverno.io` | +| groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | This field can be overwritten by setting crds.labels in the parent chart | +| groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | This field can be overwritten by setting crds.labels in the parent chart | +| annotations | object | `{}` | This field can be overwritten by setting crds.annotations in the parent chart | +| customLabels | object | `{}` | This field can be overwritten by setting crds.labels in the parent chart | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/k3-kyverno-test/kyverno/charts/crds/templates/_helpers.tpl b/k3-kyverno-test/kyverno/charts/crds/templates/_helpers.tpl new file mode 100644 index 0000000..5401de5 --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/crds/templates/_helpers.tpl @@ -0,0 +1,16 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.crds.labels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.labels.common" .) + (include "kyverno.crds.matchLabels" .) + (toYaml .Values.customLabels) +) -}} +{{- end -}} + +{{- define "kyverno.crds.matchLabels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.matchLabels.common" .) + (include "kyverno.labels.component" "crds") +) -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml b/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml new file mode 100644 index 0000000..8b64620 --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml @@ -0,0 +1,2612 @@ +{{- if .Values.groups.kyverno.cleanuppolicies }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: cleanuppolicies.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: CleanupPolicy + listKind: CleanupPolicyList + plural: cleanuppolicies + shortNames: + - cleanpol + singular: cleanuppolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.schedule + name: Schedule + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + description: CleanupPolicy defines a rule for resource cleanup. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + conditions: + description: Conditions defines the conditions used to select the + resources which will be cleaned up. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + context: + description: Context defines variables and data sources that can be + used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST data + properties: + key: + description: Key is a unique identifier for the data + value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET or POST). + Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional HTTP headers + to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference to a + cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure access + to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deletionPropagationPolicy: + description: DeletionPropagationPolicy defines how resources will + be deleted (Foreground, Background, Orphan). + enum: + - Foreground + - Background + - Orphan + type: string + exclude: + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + match: + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + schedule: + description: The schedule in Cron format + type: string + required: + - match + - schedule + type: object + status: + description: Status contains policy runtime data. + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastExecutionTime: + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.schedule + name: Schedule + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + name: v2beta1 + schema: + openAPIV3Schema: + description: CleanupPolicy defines a rule for resource cleanup. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + conditions: + description: Conditions defines the conditions used to select the + resources which will be cleaned up. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + context: + description: Context defines variables and data sources that can be + used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST data + properties: + key: + description: Key is a unique identifier for the data + value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET or POST). + Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional HTTP headers + to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference to a + cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure access + to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deletionPropagationPolicy: + description: DeletionPropagationPolicy defines how resources will + be deleted (Foreground, Background, Orphan). + enum: + - Foreground + - Background + - Orphan + type: string + exclude: + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + match: + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + schedule: + description: The schedule in Cron format + type: string + required: + - match + - schedule + type: object + status: + description: Status contains policy runtime data. + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastExecutionTime: + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +{{- end }} diff --git a/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml b/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml new file mode 100644 index 0000000..833b2b5 --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml @@ -0,0 +1,2612 @@ +{{- if .Values.groups.kyverno.clustercleanuppolicies }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: clustercleanuppolicies.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: ClusterCleanupPolicy + listKind: ClusterCleanupPolicyList + plural: clustercleanuppolicies + shortNames: + - ccleanpol + singular: clustercleanuppolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.schedule + name: Schedule + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + description: ClusterCleanupPolicy defines rule for resource cleanup. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + conditions: + description: Conditions defines the conditions used to select the + resources which will be cleaned up. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + context: + description: Context defines variables and data sources that can be + used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST data + properties: + key: + description: Key is a unique identifier for the data + value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET or POST). + Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional HTTP headers + to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference to a + cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure access + to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deletionPropagationPolicy: + description: DeletionPropagationPolicy defines how resources will + be deleted (Foreground, Background, Orphan). + enum: + - Foreground + - Background + - Orphan + type: string + exclude: + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + match: + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + schedule: + description: The schedule in Cron format + type: string + required: + - match + - schedule + type: object + status: + description: Status contains policy runtime data. + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastExecutionTime: + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.schedule + name: Schedule + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + name: v2beta1 + schema: + openAPIV3Schema: + description: ClusterCleanupPolicy defines rule for resource cleanup. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + conditions: + description: Conditions defines the conditions used to select the + resources which will be cleaned up. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + context: + description: Context defines variables and data sources that can be + used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST data + properties: + key: + description: Key is a unique identifier for the data + value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET or POST). + Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional HTTP headers + to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference to a + cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure access + to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deletionPropagationPolicy: + description: DeletionPropagationPolicy defines how resources will + be deleted (Foreground, Background, Orphan). + enum: + - Foreground + - Background + - Orphan + type: string + exclude: + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + match: + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + schedule: + description: The schedule in Cron format + type: string + required: + - match + - schedule + type: object + status: + description: Status contains policy runtime data. + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastExecutionTime: + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +{{- end }} diff --git a/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml b/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml new file mode 100644 index 0000000..a0f96a4 --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml @@ -0,0 +1,20317 @@ +{{- if .Values.groups.kyverno.clusterpolicies }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: clusterpolicies.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: ClusterPolicy + listKind: ClusterPolicyList + plural: clusterpolicies + shortNames: + - cpol + singular: clusterpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean + - jsonPath: .spec.background + name: BACKGROUND + type: boolean + - jsonPath: .status.conditions[?(@.type == "Ready")].status + name: READY + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string + - jsonPath: .status.rulecount.validate + name: VALIDATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.mutate + name: MUTATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.generate + name: GENERATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.verifyimages + name: VERIFY IMAGES + priority: 1 + type: integer + - jsonPath: .status.conditions[?(@.type == "Ready")].message + name: MESSAGE + type: string + name: v1 + schema: + openAPIV3Schema: + description: ClusterPolicy declares validation, mutation, and generation behaviors + for matching resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + admission: + default: true + description: |- + Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + applyRules: + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. + enum: + - All + - One + type: string + background: + default: true + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + emitWarning: + default: false + description: |- + EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit. + Enabling this option will extend admission request processing times. The default value is "false". + type: boolean + failurePolicy: + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. + enum: + - Ignore + - Fail + type: string + generateExisting: + description: Deprecated, use generateExisting under the generate rule + instead + type: boolean + generateExistingOnPolicyUpdate: + description: Deprecated, use generateExisting instead + type: boolean + mutateExistingOnPolicyUpdate: + description: Deprecated, use mutateExistingOnPolicyUpdate under the + mutate rule instead + type: boolean + rules: + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources that + can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier for + the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional HTTP + headers to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference + to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource + used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + foreach: + description: ForEach applies generate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + generateExisting: + description: |- + GenerateExisting controls whether to trigger the rule in existing resources + If is set to "true" the rule will be triggered and applied to existing matched resources. + type: boolean + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + orphanDownstreamOnPolicyDelete: + description: |- + OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated + them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. + See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachMutation applies mutation rules to + a list of sub-elements by creating a context for each + entry in the list and looping over it to apply the specified + logic. + properties: + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if the + mutateExisting rule will be applied on policy events. + type: boolean + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be + mutated. + items: + description: TargetResourceSpec defines targets for mutating + existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + reportProperties: + additionalProperties: + type: string + description: ReportProperties are the additional properties + from the rule that will be added to the policy report result + type: object + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting violating + resources to continue violating a policy. + type: boolean + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + assert: + description: Assert defines a kyverno-json assertion tree. + type: object + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources.\n- 'variables' - Map of composited + variables, from its name to its lazily evaluated + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are + escaped according to the following rules when + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting + elements in `Y` are appended, retaining their + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + name is the name of the resource being referenced. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + + A single parameter used for all admission requests can be configured + by setting the `name` field, leaving `selector` blank, and setting namespace + if `paramKind` is namespace-scoped. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + Allowed values are `Allow` or `Deny` + + Required + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. A variable is defined + as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + deny: + description: Deny defines conditions used to pass or fail + a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + foreach: + description: ForEach applies validate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context for + each entry in the list and looping over it to apply + the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation + for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of + Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing + manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed + on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard + controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + restrictedField: + description: |- + RestrictedField selects the field for the given Pod Security Standard control. + When not set, all restricted fields for the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - v1.27 + - v1.28 + - v1.29 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + name: + description: Name is the variable name. + type: string + predicateType: + description: Deprecated in favour of 'Type', to + be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of Attestor + used to specify a more complex set of match + authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or + more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity + used for keyless signing, for example + the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string + type: object + keys: + description: Keys specifies one or more public + keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. The + provided secret must contain a key + named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm for + public keys. Supported values are sha224, + sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + cosignOCI11: + description: |- + CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. + Defaults to false. + type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + skipImageReferences: + description: |- + SkipImageReferences is a list of matching image reference patterns that should be skipped. + At least one pattern in the list must match the image for the rule to be skipped. Each image reference + consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - SigstoreBundle + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule. + type: boolean + validate: + description: |- + Validation checks conditions across multiple image + verification attestations or context entries + properties: + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + message: + description: Message specifies a custom message to + be displayed on failure. + type: string + type: object + verifyDigest: + default: true + description: VerifyDigest validates that images have a + digest. + type: boolean + type: object + type: array + required: + - match + - name + type: object + type: array + schemaValidation: + description: Deprecated. + type: boolean + useServerSideApply: + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. + type: boolean + validationFailureAction: + default: Audit + description: Deprecated, use validationFailureAction under the validate + rule instead. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. + items: + properties: + action: + description: ValidationFailureAction defines the policy validation + failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + webhookConfiguration: + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. + properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + matchConditions: + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + webhookTimeoutSeconds: + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. + format: int32 + type: integer + type: object + status: + description: Status contains policy runtime data. + properties: + autogen: + description: AutogenStatus contains autogen status information. + properties: + rules: + description: Rules is a list of Rule instances. It contains auto + generated rules added for pod controllers + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference + to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object + representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + foreach: + description: ForEach applies generate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + generateExisting: + description: |- + GenerateExisting controls whether to trigger the rule in existing resources + If is set to "true" the rule will be triggered and applied to existing matched resources. + type: boolean + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + orphanDownstreamOnPolicyDelete: + description: |- + OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated + them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. + See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachMutation applies mutation rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if + the mutateExisting rule will be applied on policy + events. + type: boolean + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to + be mutated. + items: + description: TargetResourceSpec defines targets for + mutating existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must + be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + reportProperties: + additionalProperties: + type: string + description: ReportProperties are the additional properties + from the rule that will be added to the policy report + result + type: object + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + assert: + description: Assert defines a kyverno-json assertion + tree. + type: object + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables:\n\n- 'object' - The object from + the incoming request. The value is null + for DELETE requests.\n- 'oldObject' - The + existing object. The value is null for CREATE + requests.\n- 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"}\n - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + name is the name of the resource being referenced. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + + A single parameter used for all admission requests can be configured + by setting the `name` field, leaving `selector` blank, and setting namespace + if `paramKind` is namespace-scoped. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + Allowed values are `Allow` or `Deny` + + Required + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. A variable is + defined as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + deny: + description: Deny defines conditions used to pass or + fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + foreach: + description: ForEach applies validate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style + pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of + annotation for message and signature. Default + is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while + comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be + displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security + Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + restrictedField: + description: |- + RestrictedField selects the field for the given Pod Security Standard control. + When not set, all restricted fields for the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - v1.27 + - v1.28 + - v1.29 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested + set of Attestor used to specify + a more complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an + optional PEM encoded set of + certificates used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address. + type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string + type: object + keys: + description: Keys specifies one + or more public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use + attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and + sha512. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + name: + description: Name is the variable name. + type: string + predicateType: + description: Deprecated in favour of 'Type', + to be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + cosignOCI11: + description: |- + CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. + Defaults to false. + type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + skipImageReferences: + description: |- + SkipImageReferences is a list of matching image reference patterns that should be skipped. + At least one pattern in the list must match the image for the rule to be skipped. Each image reference + consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - SigstoreBundle + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule. + type: boolean + validate: + description: |- + Validation checks conditions across multiple image + verification attestations or context entries + properties: + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + message: + description: Message specifies a custom message + to be displayed on failure. + type: string + type: object + verifyDigest: + default: true + description: VerifyDigest validates that images have + a digest. + type: boolean + type: object + type: array + required: + - match + - name + type: object + type: array + type: object + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + description: Deprecated in favor of Conditions + type: boolean + rulecount: + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules + properties: + generate: + description: Count for generate rules in policy + type: integer + mutate: + description: Count for mutate rules in policy + type: integer + validate: + description: Count for validate rules in policy + type: integer + verifyimages: + description: Count for verify image rules in policy + type: integer + required: + - generate + - mutate + - validate + - verifyimages + type: object + validatingadmissionpolicy: + description: ValidatingAdmissionPolicy contains status information + properties: + generated: + description: Generated indicates whether a validating admission + policy is generated from the policy or not + type: boolean + message: + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. + type: string + required: + - generated + - message + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean + - jsonPath: .spec.background + name: BACKGROUND + type: boolean + - jsonPath: .status.conditions[?(@.type == "Ready")].status + name: READY + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string + - jsonPath: .status.rulecount.validate + name: VALIDATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.mutate + name: MUTATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.generate + name: GENERATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.verifyimages + name: VERIFY IMAGES + priority: 1 + type: integer + - jsonPath: .status.conditions[?(@.type == "Ready")].message + name: MESSAGE + type: string + name: v2beta1 + schema: + openAPIV3Schema: + description: ClusterPolicy declares validation, mutation, and generation behaviors + for matching resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + admission: + default: true + description: |- + Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + applyRules: + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. + enum: + - All + - One + type: string + background: + default: true + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + emitWarning: + default: false + description: |- + EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit. + Enabling this option will extend admission request processing times. The default value is "false". + type: boolean + failurePolicy: + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. + enum: + - Ignore + - Fail + type: string + generateExisting: + description: Deprecated, use generateExisting under the generate rule + instead + type: boolean + generateExistingOnPolicyUpdate: + description: Deprecated, use generateExisting instead + type: boolean + mutateExistingOnPolicyUpdate: + description: Deprecated, use mutateExistingOnPolicyUpdate under the + mutate rule instead + type: boolean + rules: + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources that + can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier for + the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional HTTP + headers to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference + to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource + used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + foreach: + description: ForEach applies generate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + generateExisting: + description: |- + GenerateExisting controls whether to trigger the rule in existing resources + If is set to "true" the rule will be triggered and applied to existing matched resources. + type: boolean + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + orphanDownstreamOnPolicyDelete: + description: |- + OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated + them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. + See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachMutation applies mutation rules to + a list of sub-elements by creating a context for each + entry in the list and looping over it to apply the specified + logic. + properties: + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if the + mutateExisting rule will be applied on policy events. + type: boolean + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be + mutated. + items: + description: TargetResourceSpec defines targets for mutating + existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) + for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) + for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + assert: + description: Assert defines a kyverno-json assertion tree. + type: object + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources.\n- 'variables' - Map of composited + variables, from its name to its lazily evaluated + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are + escaped according to the following rules when + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting + elements in `Y` are appended, retaining their + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + name is the name of the resource being referenced. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + + A single parameter used for all admission requests can be configured + by setting the `name` field, leaving `selector` blank, and setting namespace + if `paramKind` is namespace-scoped. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + Allowed values are `Allow` or `Deny` + + Required + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. A variable is defined + as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + deny: + description: Deny defines conditions used to pass or fail + a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + foreach: + description: ForEach applies validate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context for + each entry in the list and looping over it to apply + the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation + for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of + Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing + manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed + on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard + controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + restrictedField: + description: |- + RestrictedField selects the field for the given Pod Security Standard control. + When not set, all restricted fields for the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - v1.27 + - v1.28 + - v1.29 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + name: + description: Name is the variable name. + type: string + predicateType: + description: Deprecated in favour of 'Type', to + be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of Attestor + used to specify a more complex set of match + authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or + more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity + used for keyless signing, for example + the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string + type: object + keys: + description: Keys specifies one or more public + keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. The + provided secret must contain a key + named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm for + public keys. Supported values are sha224, + sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + skipImageReferences: + description: |- + SkipImageReferences is a list of matching image reference patterns that should be skipped. + At least one pattern in the list must match the image for the rule to be skipped. Each image reference + consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - SigstoreBundle + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule + type: boolean + validate: + description: |- + Validation checks conditions across multiple image + verification attestations or context entries + properties: + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + message: + description: Message specifies a custom message to + be displayed on failure. + type: string + type: object + verifyDigest: + default: true + description: VerifyDigest validates that images have a + digest. + type: boolean + type: object + type: array + required: + - match + - name + type: object + type: array + schemaValidation: + description: Deprecated. + type: boolean + useServerSideApply: + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. + type: boolean + validationFailureAction: + default: Audit + description: Deprecated, use validationFailureAction under the validate + rule instead. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. + items: + properties: + action: + description: ValidationFailureAction defines the policy validation + failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + webhookConfiguration: + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. + properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + matchConditions: + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + webhookTimeoutSeconds: + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. + format: int32 + type: integer + type: object + status: + description: Status contains policy runtime data. + properties: + autogen: + description: AutogenStatus contains autogen status information. + properties: + rules: + description: Rules is a list of Rule instances. It contains auto + generated rules added for pod controllers + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference + to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object + representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + foreach: + description: ForEach applies generate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + generateExisting: + description: |- + GenerateExisting controls whether to trigger the rule in existing resources + If is set to "true" the rule will be triggered and applied to existing matched resources. + type: boolean + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + orphanDownstreamOnPolicyDelete: + description: |- + OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated + them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. + See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachMutation applies mutation rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if + the mutateExisting rule will be applied on policy + events. + type: boolean + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to + be mutated. + items: + description: TargetResourceSpec defines targets for + mutating existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must + be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + reportProperties: + additionalProperties: + type: string + description: ReportProperties are the additional properties + from the rule that will be added to the policy report + result + type: object + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + assert: + description: Assert defines a kyverno-json assertion + tree. + type: object + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables:\n\n- 'object' - The object from + the incoming request. The value is null + for DELETE requests.\n- 'oldObject' - The + existing object. The value is null for CREATE + requests.\n- 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"}\n - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + name is the name of the resource being referenced. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + + A single parameter used for all admission requests can be configured + by setting the `name` field, leaving `selector` blank, and setting namespace + if `paramKind` is namespace-scoped. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + Allowed values are `Allow` or `Deny` + + Required + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. A variable is + defined as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + deny: + description: Deny defines conditions used to pass or + fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + foreach: + description: ForEach applies validate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style + pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of + annotation for message and signature. Default + is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while + comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be + displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security + Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + restrictedField: + description: |- + RestrictedField selects the field for the given Pod Security Standard control. + When not set, all restricted fields for the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - v1.27 + - v1.28 + - v1.29 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested + set of Attestor used to specify + a more complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an + optional PEM encoded set of + certificates used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address. + type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string + type: object + keys: + description: Keys specifies one + or more public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use + attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and + sha512. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + name: + description: Name is the variable name. + type: string + predicateType: + description: Deprecated in favour of 'Type', + to be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + cosignOCI11: + description: |- + CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. + Defaults to false. + type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + skipImageReferences: + description: |- + SkipImageReferences is a list of matching image reference patterns that should be skipped. + At least one pattern in the list must match the image for the rule to be skipped. Each image reference + consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - SigstoreBundle + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule. + type: boolean + validate: + description: |- + Validation checks conditions across multiple image + verification attestations or context entries + properties: + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + message: + description: Message specifies a custom message + to be displayed on failure. + type: string + type: object + verifyDigest: + default: true + description: VerifyDigest validates that images have + a digest. + type: boolean + type: object + type: array + required: + - match + - name + type: object + type: array + type: object + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + description: Deprecated in favor of Conditions + type: boolean + rulecount: + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules + properties: + generate: + description: Count for generate rules in policy + type: integer + mutate: + description: Count for mutate rules in policy + type: integer + validate: + description: Count for validate rules in policy + type: integer + verifyimages: + description: Count for verify image rules in policy + type: integer + required: + - generate + - mutate + - validate + - verifyimages + type: object + validatingadmissionpolicy: + description: ValidatingAdmissionPolicy contains status information + properties: + generated: + description: Generated indicates whether a validating admission + policy is generated from the policy or not + type: boolean + message: + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. + type: string + required: + - generated + - message + type: object + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +{{- end }} diff --git a/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml b/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml new file mode 100644 index 0000000..eaa328e --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml @@ -0,0 +1,280 @@ +{{- if .Values.groups.kyverno.globalcontextentries }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: globalcontextentries.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: GlobalContextEntry + listKind: GlobalContextEntryList + plural: globalcontextentries + shortNames: + - gctxentry + singular: globalcontextentry + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.apiCall.refreshInterval + name: REFRESH INTERVAL + type: string + - jsonPath: .status.lastRefreshTime + name: LAST REFRESH + type: date + name: v2alpha1 + schema: + openAPIV3Schema: + description: GlobalContextEntry declares resources to be cached. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy exception behaviors. + oneOf: + - required: + - kubernetesResource + - required: + - apiCall + properties: + apiCall: + description: |- + Stores results from an API call which will be cached. + Mutually exclusive with KubernetesResource. + This can be used to make calls to external (non-Kubernetes API server) services. + It can also be used to make calls to the Kubernetes API server in such cases: + 1. A POST is needed to create a resource. + 2. Finer-grained control is needed. Example: To restrict the number of resources cached. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST data + properties: + key: + description: Key is a unique identifier for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + method: + default: GET + description: Method is the HTTP request type (GET or POST). Defaults + to GET. + enum: + - GET + - POST + type: string + refreshInterval: + default: 10m + description: |- + RefreshInterval defines the interval in duration at which to poll the APICall. + The duration is a sequence of decimal numbers, each with optional fraction and a unit suffix, + such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + format: duration + type: string + retryLimit: + default: 3 + description: RetryLimit defines the number of times the APICall + should be retried in case of failure. + minimum: 1 + type: integer + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional HTTP headers to + be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + kubernetesResource: + description: |- + Stores a list of Kubernetes resources which will be cached. + Mutually exclusive with APICall. + properties: + group: + description: Group defines the group of the resource. + type: string + namespace: + description: |- + Namespace defines the namespace of the resource. Leave empty for cluster scoped resources. + If left empty for namespaced resources, all resources from all namespaces will be cached. + type: string + resource: + description: |- + Resource defines the type of the resource. + Requires the pluralized form of the resource kind in lowercase. (Ex., "deployments") + type: string + version: + description: Version defines the version of the resource. + type: string + required: + - resource + - version + type: object + projections: + description: Projections defines the list of JMESPath expressions + to extract values from the cached resource. + items: + properties: + jmesPath: + description: JMESPath is the JMESPath expression to extract + the value from the cached resource. + type: string + name: + description: Name is the name to use for the extracted value + in the context. + type: string + required: + - jmesPath + - name + type: object + type: array + type: object + status: + description: Status contains globalcontextentry runtime data. + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastRefreshTime: + description: Indicates the time when the globalcontextentry was last + refreshed successfully for the API Call + format: date-time + type: string + ready: + description: Deprecated in favor of Conditions + type: boolean + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml b/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml new file mode 100644 index 0000000..22270dd --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml @@ -0,0 +1,20320 @@ +{{- if .Values.groups.kyverno.policies }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: policies.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: Policy + listKind: PolicyList + plural: policies + shortNames: + - pol + singular: policy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean + - jsonPath: .spec.background + name: BACKGROUND + type: boolean + - jsonPath: .status.conditions[?(@.type == "Ready")].status + name: READY + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string + - jsonPath: .status.rulecount.validate + name: VALIDATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.mutate + name: MUTATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.generate + name: GENERATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.verifyimages + name: VERIFY IMAGES + priority: 1 + type: integer + - jsonPath: .status.conditions[?(@.type == "Ready")].message + name: MESSAGE + type: string + name: v1 + schema: + openAPIV3Schema: + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines policy behaviors and contains one or more rules. + properties: + admission: + default: true + description: |- + Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + applyRules: + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. + enum: + - All + - One + type: string + background: + default: true + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + emitWarning: + default: false + description: |- + EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit. + Enabling this option will extend admission request processing times. The default value is "false". + type: boolean + failurePolicy: + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. + enum: + - Ignore + - Fail + type: string + generateExisting: + description: Deprecated, use generateExisting under the generate rule + instead + type: boolean + generateExistingOnPolicyUpdate: + description: Deprecated, use generateExisting instead + type: boolean + mutateExistingOnPolicyUpdate: + description: Deprecated, use mutateExistingOnPolicyUpdate under the + mutate rule instead + type: boolean + rules: + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources that + can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier for + the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional HTTP + headers to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference + to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource + used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + foreach: + description: ForEach applies generate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + generateExisting: + description: |- + GenerateExisting controls whether to trigger the rule in existing resources + If is set to "true" the rule will be triggered and applied to existing matched resources. + type: boolean + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + orphanDownstreamOnPolicyDelete: + description: |- + OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated + them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. + See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachMutation applies mutation rules to + a list of sub-elements by creating a context for each + entry in the list and looping over it to apply the specified + logic. + properties: + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if the + mutateExisting rule will be applied on policy events. + type: boolean + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be + mutated. + items: + description: TargetResourceSpec defines targets for mutating + existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + reportProperties: + additionalProperties: + type: string + description: ReportProperties are the additional properties + from the rule that will be added to the policy report result + type: object + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting violating + resources to continue violating a policy. + type: boolean + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + assert: + description: Assert defines a kyverno-json assertion tree. + type: object + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources.\n- 'variables' - Map of composited + variables, from its name to its lazily evaluated + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are + escaped according to the following rules when + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting + elements in `Y` are appended, retaining their + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + name is the name of the resource being referenced. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + + A single parameter used for all admission requests can be configured + by setting the `name` field, leaving `selector` blank, and setting namespace + if `paramKind` is namespace-scoped. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + Allowed values are `Allow` or `Deny` + + Required + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. A variable is defined + as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + deny: + description: Deny defines conditions used to pass or fail + a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + foreach: + description: ForEach applies validate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context for + each entry in the list and looping over it to apply + the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation + for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of + Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing + manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed + on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard + controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + restrictedField: + description: |- + RestrictedField selects the field for the given Pod Security Standard control. + When not set, all restricted fields for the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - v1.27 + - v1.28 + - v1.29 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + name: + description: Name is the variable name. + type: string + predicateType: + description: Deprecated in favour of 'Type', to + be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of Attestor + used to specify a more complex set of match + authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or + more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity + used for keyless signing, for example + the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string + type: object + keys: + description: Keys specifies one or more public + keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. The + provided secret must contain a key + named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm for + public keys. Supported values are sha224, + sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + cosignOCI11: + description: |- + CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. + Defaults to false. + type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + skipImageReferences: + description: |- + SkipImageReferences is a list of matching image reference patterns that should be skipped. + At least one pattern in the list must match the image for the rule to be skipped. Each image reference + consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - SigstoreBundle + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule. + type: boolean + validate: + description: |- + Validation checks conditions across multiple image + verification attestations or context entries + properties: + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + message: + description: Message specifies a custom message to + be displayed on failure. + type: string + type: object + verifyDigest: + default: true + description: VerifyDigest validates that images have a + digest. + type: boolean + type: object + type: array + required: + - match + - name + type: object + type: array + schemaValidation: + description: Deprecated. + type: boolean + useServerSideApply: + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. + type: boolean + validationFailureAction: + default: Audit + description: Deprecated, use validationFailureAction under the validate + rule instead. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. + items: + properties: + action: + description: ValidationFailureAction defines the policy validation + failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + webhookConfiguration: + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. + properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + matchConditions: + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + webhookTimeoutSeconds: + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. + format: int32 + type: integer + type: object + status: + description: Deprecated. Policy metrics are available via the metrics + endpoint + properties: + autogen: + description: AutogenStatus contains autogen status information. + properties: + rules: + description: Rules is a list of Rule instances. It contains auto + generated rules added for pod controllers + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference + to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object + representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + foreach: + description: ForEach applies generate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + generateExisting: + description: |- + GenerateExisting controls whether to trigger the rule in existing resources + If is set to "true" the rule will be triggered and applied to existing matched resources. + type: boolean + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + orphanDownstreamOnPolicyDelete: + description: |- + OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated + them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. + See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachMutation applies mutation rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if + the mutateExisting rule will be applied on policy + events. + type: boolean + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to + be mutated. + items: + description: TargetResourceSpec defines targets for + mutating existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must + be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + reportProperties: + additionalProperties: + type: string + description: ReportProperties are the additional properties + from the rule that will be added to the policy report + result + type: object + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + assert: + description: Assert defines a kyverno-json assertion + tree. + type: object + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables:\n\n- 'object' - The object from + the incoming request. The value is null + for DELETE requests.\n- 'oldObject' - The + existing object. The value is null for CREATE + requests.\n- 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"}\n - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + name is the name of the resource being referenced. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + + A single parameter used for all admission requests can be configured + by setting the `name` field, leaving `selector` blank, and setting namespace + if `paramKind` is namespace-scoped. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + Allowed values are `Allow` or `Deny` + + Required + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. A variable is + defined as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + deny: + description: Deny defines conditions used to pass or + fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + foreach: + description: ForEach applies validate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style + pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of + annotation for message and signature. Default + is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while + comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be + displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security + Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + restrictedField: + description: |- + RestrictedField selects the field for the given Pod Security Standard control. + When not set, all restricted fields for the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - v1.27 + - v1.28 + - v1.29 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested + set of Attestor used to specify + a more complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an + optional PEM encoded set of + certificates used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address. + type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string + type: object + keys: + description: Keys specifies one + or more public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use + attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and + sha512. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + name: + description: Name is the variable name. + type: string + predicateType: + description: Deprecated in favour of 'Type', + to be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + cosignOCI11: + description: |- + CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. + Defaults to false. + type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + skipImageReferences: + description: |- + SkipImageReferences is a list of matching image reference patterns that should be skipped. + At least one pattern in the list must match the image for the rule to be skipped. Each image reference + consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - SigstoreBundle + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule. + type: boolean + validate: + description: |- + Validation checks conditions across multiple image + verification attestations or context entries + properties: + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + message: + description: Message specifies a custom message + to be displayed on failure. + type: string + type: object + verifyDigest: + default: true + description: VerifyDigest validates that images have + a digest. + type: boolean + type: object + type: array + required: + - match + - name + type: object + type: array + type: object + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + description: Deprecated in favor of Conditions + type: boolean + rulecount: + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules + properties: + generate: + description: Count for generate rules in policy + type: integer + mutate: + description: Count for mutate rules in policy + type: integer + validate: + description: Count for validate rules in policy + type: integer + verifyimages: + description: Count for verify image rules in policy + type: integer + required: + - generate + - mutate + - validate + - verifyimages + type: object + validatingadmissionpolicy: + description: ValidatingAdmissionPolicy contains status information + properties: + generated: + description: Generated indicates whether a validating admission + policy is generated from the policy or not + type: boolean + message: + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. + type: string + required: + - generated + - message + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean + - jsonPath: .spec.background + name: BACKGROUND + type: boolean + - jsonPath: .status.conditions[?(@.type == "Ready")].status + name: READY + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string + - jsonPath: .status.rulecount.validate + name: VALIDATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.mutate + name: MUTATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.generate + name: GENERATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.verifyimages + name: VERIFY IMAGES + priority: 1 + type: integer + - jsonPath: .status.conditions[?(@.type == "Ready")].message + name: MESSAGE + type: string + name: v2beta1 + schema: + openAPIV3Schema: + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines policy behaviors and contains one or more rules. + properties: + admission: + default: true + description: |- + Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + applyRules: + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. + enum: + - All + - One + type: string + background: + default: true + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + emitWarning: + default: false + description: |- + EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit. + Enabling this option will extend admission request processing times. The default value is "false". + type: boolean + failurePolicy: + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. + enum: + - Ignore + - Fail + type: string + generateExisting: + description: Deprecated, use generateExisting under the generate rule + instead + type: boolean + generateExistingOnPolicyUpdate: + description: Deprecated, use generateExisting instead + type: boolean + mutateExistingOnPolicyUpdate: + description: Deprecated, use mutateExistingOnPolicyUpdate under the + mutate rule instead + type: boolean + rules: + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources that + can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier for + the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional HTTP + headers to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference + to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource + used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + foreach: + description: ForEach applies generate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + generateExisting: + description: |- + GenerateExisting controls whether to trigger the rule in existing resources + If is set to "true" the rule will be triggered and applied to existing matched resources. + type: boolean + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + orphanDownstreamOnPolicyDelete: + description: |- + OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated + them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. + See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachMutation applies mutation rules to + a list of sub-elements by creating a context for each + entry in the list and looping over it to apply the specified + logic. + properties: + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if the + mutateExisting rule will be applied on policy events. + type: boolean + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be + mutated. + items: + description: TargetResourceSpec defines targets for mutating + existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) + for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) + for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + assert: + description: Assert defines a kyverno-json assertion tree. + type: object + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources.\n- 'variables' - Map of composited + variables, from its name to its lazily evaluated + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are + escaped according to the following rules when + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting + elements in `Y` are appended, retaining their + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + name is the name of the resource being referenced. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + + A single parameter used for all admission requests can be configured + by setting the `name` field, leaving `selector` blank, and setting namespace + if `paramKind` is namespace-scoped. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + Allowed values are `Allow` or `Deny` + + Required + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. A variable is defined + as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + deny: + description: Deny defines conditions used to pass or fail + a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + foreach: + description: ForEach applies validate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context for + each entry in the list and looping over it to apply + the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the + request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the header + value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is + a reference to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation + for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of + Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing + manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed + on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard + controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + restrictedField: + description: |- + RestrictedField selects the field for the given Pod Security Standard control. + When not set, all restricted fields for the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - v1.27 + - v1.28 + - v1.29 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + name: + description: Name is the variable name. + type: string + predicateType: + description: Deprecated in favour of 'Type', to + be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of Attestor + used to specify a more complex set of match + authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or + more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity + used for keyless signing, for example + the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string + type: object + keys: + description: Keys specifies one or more public + keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. The + provided secret must contain a key + named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm for + public keys. Supported values are sha224, + sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + skipImageReferences: + description: |- + SkipImageReferences is a list of matching image reference patterns that should be skipped. + At least one pattern in the list must match the image for the rule to be skipped. Each image reference + consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - SigstoreBundle + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule + type: boolean + validate: + description: |- + Validation checks conditions across multiple image + verification attestations or context entries + properties: + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + message: + description: Message specifies a custom message to + be displayed on failure. + type: string + type: object + verifyDigest: + default: true + description: VerifyDigest validates that images have a + digest. + type: boolean + type: object + type: array + required: + - match + - name + type: object + type: array + schemaValidation: + description: Deprecated. + type: boolean + useServerSideApply: + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. + type: boolean + validationFailureAction: + default: Audit + description: Deprecated, use validationFailureAction under the validate + rule instead. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. + items: + properties: + action: + description: ValidationFailureAction defines the policy validation + failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + webhookConfiguration: + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. + properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + matchConditions: + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + webhookTimeoutSeconds: + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. + format: int32 + type: integer + type: object + status: + description: Status contains policy runtime data. + properties: + autogen: + description: AutogenStatus contains autogen status information. + properties: + rules: + description: Rules is a list of Rule instances. It contains auto + generated rules added for pod controllers + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of optional + HTTP headers to be included in the request. + items: + properties: + key: + description: Key is the header key + type: string + value: + description: Value is the header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference is a reference + to a cached global context entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object + representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + foreach: + description: ForEach applies generate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + generateExisting: + description: |- + GenerateExisting controls whether to trigger the rule in existing resources + If is set to "true" the rule will be triggered and applied to existing matched resources. + type: boolean + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + orphanDownstreamOnPolicyDelete: + description: |- + OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated + them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. + See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachMutation applies mutation rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if + the mutateExisting rule will be applied on policy + events. + type: boolean + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to + be mutated. + items: + description: TargetResourceSpec defines targets for + mutating existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must + be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + reportProperties: + additionalProperties: + type: string + description: ReportProperties are the additional properties + from the rule that will be added to the policy report + result + type: object + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + assert: + description: Assert defines a kyverno-json assertion + tree. + type: object + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables:\n\n- 'object' - The object from + the incoming request. The value is null + for DELETE requests.\n- 'oldObject' - The + existing object. The value is null for CREATE + requests.\n- 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"}\n - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + name is the name of the resource being referenced. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + + A single parameter used for all admission requests can be configured + by setting the `name` field, leaving `selector` blank, and setting namespace + if `paramKind` is namespace-scoped. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + Allowed values are `Allow` or `Deny` + + Required + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. A variable is + defined as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + deny: + description: Deny defines conditions used to pass or + fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + foreach: + description: ForEach applies validate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + oneOf: + - required: + - configMap + - required: + - apiCall + - required: + - imageRegistry + - required: + - variable + - required: + - globalReference + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: |- + The data object specifies the POST data sent to the server. + Only applicable when the method field is set to POST. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + default: + description: |- + Default is an optional arbitrary JSON object that the context + value is set to, if the apiCall returns error. + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). Defaults to GET. + enum: + - GET + - POST + type: string + service: + description: |- + Service is an API call to a JSON web service. + This is used for non-Kubernetes API server calls. + It's mutually exclusive with the URLPath field. + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + headers: + description: Headers is a list of + optional HTTP headers to be included + in the request. + items: + properties: + key: + description: Key is the header + key + type: string + value: + description: Value is the + header value + type: string + required: + - key + - value + type: object + type: array + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + It's mutually exclusive with the Service field. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + globalReference: + description: GlobalContextEntryReference + is a reference to a cached global context + entry. + properties: + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + name: + description: Name of the global context + entry + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + required: + - name + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style + pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of + annotation for message and signature. Default + is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while + comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be + displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security + Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + restrictedField: + description: |- + RestrictedField selects the field for the given Pod Security Standard control. + When not set, all restricted fields for the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - v1.27 + - v1.28 + - v1.29 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested + set of Attestor used to specify + a more complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an + optional PEM encoded set of + certificates used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address. + type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string + type: object + keys: + description: Keys specifies one + or more public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use + attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and + sha512. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + name: + description: Name is the variable name. + type: string + predicateType: + description: Deprecated in favour of 'Type', + to be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Deprecated. Use attestor.signatureAlgorithm + instead. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha224, sha256, sha384 and sha512. + type: string + type: object + type: array + type: object + type: array + cosignOCI11: + description: |- + CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. + Defaults to false. + type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + skipImageReferences: + description: |- + SkipImageReferences is a list of matching image reference patterns that should be skipped. + At least one pattern in the list must match the image for the rule to be skipped. Each image reference + consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - SigstoreBundle + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule. + type: boolean + validate: + description: |- + Validation checks conditions across multiple image + verification attestations or context entries + properties: + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + message: + description: Message specifies a custom message + to be displayed on failure. + type: string + type: object + verifyDigest: + default: true + description: VerifyDigest validates that images have + a digest. + type: boolean + type: object + type: array + required: + - match + - name + type: object + type: array + type: object + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + description: Deprecated in favor of Conditions + type: boolean + rulecount: + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules + properties: + generate: + description: Count for generate rules in policy + type: integer + mutate: + description: Count for mutate rules in policy + type: integer + validate: + description: Count for validate rules in policy + type: integer + verifyimages: + description: Count for verify image rules in policy + type: integer + required: + - generate + - mutate + - validate + - verifyimages + type: object + validatingadmissionpolicy: + description: ValidatingAdmissionPolicy contains status information + properties: + generated: + description: Generated indicates whether a validating admission + policy is generated from the policy or not + type: boolean + message: + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. + type: string + required: + - generated + - message + type: object + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +{{- end }} diff --git a/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml b/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml new file mode 100644 index 0000000..f5b1fb6 --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml @@ -0,0 +1,1308 @@ +{{- if .Values.groups.kyverno.policyexceptions }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: policyexceptions.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: PolicyException + listKind: PolicyExceptionList + plural: policyexceptions + shortNames: + - polex + singular: policyexception + scope: Namespaced + versions: + - name: v2 + schema: + openAPIV3Schema: + description: PolicyException declares resources to be excluded from specified + policies. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy exception behaviors. + properties: + background: + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + conditions: + description: |- + Conditions are used to determine if a resource applies to the exception by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + exceptions: + description: Exceptions is a list policy/rules to be excluded + items: + description: Exception stores infos about a policy and rules + properties: + policyName: + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. + type: string + ruleNames: + description: RuleNames identifies the rules to which the exception + is applied. + items: + type: string + type: array + required: + - policyName + - ruleNames + type: object + type: array + match: + description: Match defines match clause used to check if a resource + applies to the exception + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + podSecurity: + description: |- + PodSecurity specifies the Pod Security Standard controls to be excluded. + Applicable only to policies that have validate.podSecurity subrule. + items: + description: PodSecurityStandard specifies the Pod Security Standard + controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + restrictedField: + description: |- + RestrictedField selects the field for the given Pod Security Standard control. + When not set, all restricted fields for the control are selected. + type: string + values: + description: Values defines the allowed values that can be excluded. + items: + type: string + type: array + required: + - controlName + type: object + type: array + required: + - exceptions + - match + type: object + required: + - spec + type: object + served: true + storage: true + - deprecated: true + name: v2beta1 + schema: + openAPIV3Schema: + description: PolicyException declares resources to be excluded from specified + policies. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy exception behaviors. + properties: + background: + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + conditions: + description: |- + Conditions are used to determine if a resource applies to the exception by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + exceptions: + description: Exceptions is a list policy/rules to be excluded + items: + description: Exception stores infos about a policy and rules + properties: + policyName: + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. + type: string + ruleNames: + description: RuleNames identifies the rules to which the exception + is applied. + items: + type: string + type: array + required: + - policyName + - ruleNames + type: object + type: array + match: + description: Match defines match clause used to check if a resource + applies to the exception + not: + required: + - any + - all + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + not: + required: + - name + - names + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + podSecurity: + description: |- + PodSecurity specifies the Pod Security Standard controls to be excluded. + Applicable only to policies that have validate.podSecurity subrule. + items: + description: PodSecurityStandard specifies the Pod Security Standard + controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + restrictedField: + description: |- + RestrictedField selects the field for the given Pod Security Standard control. + When not set, all restricted fields for the control are selected. + type: string + values: + description: Values defines the allowed values that can be excluded. + items: + type: string + type: array + required: + - controlName + type: object + type: array + required: + - exceptions + - match + type: object + required: + - spec + type: object + served: true + storage: false +{{- end }} diff --git a/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml b/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml new file mode 100644 index 0000000..738caed --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml @@ -0,0 +1,838 @@ +{{- if .Values.groups.kyverno.updaterequests }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: updaterequests.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: UpdateRequest + listKind: UpdateRequestList + plural: updaterequests + shortNames: + - ur + singular: updaterequest + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.policy + name: Policy + type: string + - jsonPath: .spec.rule + name: Rule + type: string + - jsonPath: .spec.requestType + name: RuleType + type: string + - jsonPath: .spec.resource.kind + name: ResourceKind + type: string + - jsonPath: .spec.resource.name + name: ResourceName + type: string + - jsonPath: .spec.resource.namespace + name: ResourceNamespace + type: string + - jsonPath: .status.state + name: status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + name: v1beta1 + schema: + openAPIV3Schema: + description: UpdateRequest is a request to process mutate and generate rules + in background. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ResourceSpec is the information to identify the trigger resource. + properties: + context: + description: Context ... + properties: + admissionRequestInfo: + description: AdmissionRequestInfoObject stores the admission request + and operation details + properties: + admissionRequest: + description: AdmissionRequest describes the admission.Attributes + for the admission request. + properties: + dryRun: + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. + type: boolean + kind: + description: Kind is the fully-qualified type of object + being submitted (for example, v1.Pod or autoscaling.v1.Scale) + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + name: + description: |- + Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + rely on the server to generate the name. If that is the case, this field will contain an empty string. + type: string + namespace: + description: Namespace is the namespace associated with + the request (if any). + type: string + object: + description: Object is the object from the incoming request. + type: object + x-kubernetes-preserve-unknown-fields: true + oldObject: + description: OldObject is the existing object. Only populated + for DELETE and UPDATE requests. + type: object + x-kubernetes-preserve-unknown-fields: true + operation: + description: |- + Operation is the operation being performed. This may be different than the operation + requested. e.g. a patch can result in either a CREATE or UPDATE Operation. + type: string + options: + description: |- + Options is the operation option structure of the operation being performed. + e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + different than the options the caller provided. e.g. for a patch request the performed + Operation might be a CREATE, in which case the Options will a + `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. + type: object + x-kubernetes-preserve-unknown-fields: true + requestKind: + description: |- + RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + + See documentation for the "matchPolicy" field in the webhook configuration type for more details. + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + requestResource: + description: |- + RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + + See documentation for the "matchPolicy" field in the webhook configuration type. + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + requestSubResource: + description: |- + RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + See documentation for the "matchPolicy" field in the webhook configuration type. + type: string + resource: + description: Resource is the fully-qualified resource + being requested (for example, v1.pods) + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + subResource: + description: SubResource is the subresource being requested, + if any (for example, "status" or "scale") + type: string + uid: + description: |- + UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + otherwise identical (parallel requests, requests when earlier requests did not modify etc) + The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. + type: string + userInfo: + description: UserInfo is information about the requesting + user + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by + the authenticator. + type: object + groups: + description: The names of groups this user is a part + of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this + user among all active users. + type: string + type: object + required: + - kind + - operation + - resource + - uid + - userInfo + type: object + operation: + description: Operation is the type of resource operation being + checked for admission control + type: string + type: object + userInfo: + description: RequestInfo contains permission info carried in an + admission request. + properties: + clusterRoles: + description: ClusterRoles is a list of possible clusterRoles + send the request. + items: + type: string + nullable: true + type: array + roles: + description: Roles is a list of possible role send the request. + items: + type: string + nullable: true + type: array + userInfo: + description: UserInfo is the userInfo carried in the admission + request. + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by the + authenticator. + type: object + groups: + description: The names of groups this user is a part of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this user + among all active users. + type: string + type: object + type: object + type: object + deleteDownstream: + description: DeleteDownstream represents whether the downstream needs + to be deleted. + type: boolean + policy: + description: Specifies the name of the policy. + type: string + requestType: + description: Type represents request type for background processing + enum: + - mutate + - generate + type: string + resource: + description: ResourceSpec is the information to identify the trigger + resource. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + rule: + description: Rule is the associate rule name of the current UR. + type: string + synchronize: + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. + type: boolean + required: + - context + - deleteDownstream + - policy + - resource + - rule + type: object + status: + description: Status contains statistics related to update request. + properties: + generatedResources: + description: |- + This will track the resources that are updated by the generate Policy. + Will be used during clean up resources. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + handler: + description: Deprecated + type: string + message: + description: Specifies request status message. + type: string + retryCount: + type: integer + state: + description: State represents state of the update request. + type: string + required: + - state + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.policy + name: Policy + type: string + - jsonPath: .spec.requestType + name: RuleType + type: string + - jsonPath: .spec.resource.kind + name: ResourceKind + type: string + - jsonPath: .spec.resource.name + name: ResourceName + type: string + - jsonPath: .spec.resource.namespace + name: ResourceNamespace + type: string + - jsonPath: .status.state + name: status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + description: UpdateRequest is a request to process mutate and generate rules + in background. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ResourceSpec is the information to identify the trigger resource. + properties: + context: + description: |- + Context represents admission request context. + It is used upon admission review only and is shared across rules within the same UR. + properties: + admissionRequestInfo: + description: AdmissionRequestInfoObject stores the admission request + and operation details + properties: + admissionRequest: + description: AdmissionRequest describes the admission.Attributes + for the admission request. + properties: + dryRun: + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. + type: boolean + kind: + description: Kind is the fully-qualified type of object + being submitted (for example, v1.Pod or autoscaling.v1.Scale) + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + name: + description: |- + Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + rely on the server to generate the name. If that is the case, this field will contain an empty string. + type: string + namespace: + description: Namespace is the namespace associated with + the request (if any). + type: string + object: + description: Object is the object from the incoming request. + type: object + x-kubernetes-preserve-unknown-fields: true + oldObject: + description: OldObject is the existing object. Only populated + for DELETE and UPDATE requests. + type: object + x-kubernetes-preserve-unknown-fields: true + operation: + description: |- + Operation is the operation being performed. This may be different than the operation + requested. e.g. a patch can result in either a CREATE or UPDATE Operation. + type: string + options: + description: |- + Options is the operation option structure of the operation being performed. + e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + different than the options the caller provided. e.g. for a patch request the performed + Operation might be a CREATE, in which case the Options will a + `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. + type: object + x-kubernetes-preserve-unknown-fields: true + requestKind: + description: |- + RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + + See documentation for the "matchPolicy" field in the webhook configuration type for more details. + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + requestResource: + description: |- + RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + + See documentation for the "matchPolicy" field in the webhook configuration type. + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + requestSubResource: + description: |- + RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + See documentation for the "matchPolicy" field in the webhook configuration type. + type: string + resource: + description: Resource is the fully-qualified resource + being requested (for example, v1.pods) + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + subResource: + description: SubResource is the subresource being requested, + if any (for example, "status" or "scale") + type: string + uid: + description: |- + UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + otherwise identical (parallel requests, requests when earlier requests did not modify etc) + The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. + type: string + userInfo: + description: UserInfo is information about the requesting + user + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by + the authenticator. + type: object + groups: + description: The names of groups this user is a part + of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this + user among all active users. + type: string + type: object + required: + - kind + - operation + - resource + - uid + - userInfo + type: object + operation: + description: Operation is the type of resource operation being + checked for admission control + type: string + type: object + userInfo: + description: RequestInfo contains permission info carried in an + admission request. + properties: + clusterRoles: + description: ClusterRoles is a list of possible clusterRoles + send the request. + items: + type: string + nullable: true + type: array + roles: + description: Roles is a list of possible role send the request. + items: + type: string + nullable: true + type: array + synchronize: + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. + type: boolean + userInfo: + description: UserInfo is the userInfo carried in the admission + request. + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by the + authenticator. + type: object + groups: + description: The names of groups this user is a part of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this user + among all active users. + type: string + type: object + type: object + type: object + deleteDownstream: + description: |- + DeleteDownstream represents whether the downstream needs to be deleted. + Deprecated + type: boolean + policy: + description: Specifies the name of the policy. + type: string + requestType: + description: Type represents request type for background processing + enum: + - mutate + - generate + type: string + resource: + description: ResourceSpec is the information to identify the trigger + resource. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + rule: + description: Rule is the associate rule name of the current UR. + type: string + ruleContext: + description: |- + RuleContext is the associate context to apply rules. + optional + items: + properties: + deleteDownstream: + description: DeleteDownstream represents whether the downstream + needs to be deleted. + type: boolean + rule: + description: Rule is the associate rule name of the current + UR. + type: string + synchronize: + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. + type: boolean + trigger: + description: ResourceSpec is the information to identify the + trigger resource. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + required: + - deleteDownstream + - rule + - trigger + type: object + type: array + synchronize: + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. + Deprecated, will be removed in 1.14. + type: boolean + required: + - context + - deleteDownstream + - policy + - resource + - rule + type: object + status: + description: Status contains statistics related to update request. + properties: + generatedResources: + description: |- + This will track the resources that are updated by the generate Policy. + Will be used during clean up resources. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + message: + description: Specifies request status message. + type: string + retryCount: + type: integer + state: + description: State represents state of the update request. + type: string + required: + - state + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/k3-kyverno-test/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_imagevalidatingpolicies.yaml b/k3-kyverno-test/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_imagevalidatingpolicies.yaml new file mode 100644 index 0000000..42e8fd9 --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_imagevalidatingpolicies.yaml @@ -0,0 +1,2241 @@ +{{- if .Values.groups.policies.imagevalidatingpolicies }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: imagevalidatingpolicies.policies.kyverno.io +spec: + group: policies.kyverno.io + names: + categories: + - kyverno + kind: ImageValidatingPolicy + listKind: ImageValidatingPolicyList + plural: imagevalidatingpolicies + shortNames: + - ivpol + singular: imagevalidatingpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .status.conditionStatus.ready + name: READY + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ImageValidatingPolicySpec is the specification of the desired + behavior of the ImageValidatingPolicy. + properties: + attestations: + description: Attestations provides a list of image metadata to verify + items: + description: Attestation defines the identification details of the metadata + that has to be verified + properties: + intoto: + description: InToto defines the details of attestation attached + using intoto format + properties: + type: + description: Type defines the type of attestation contained + within the statement. + type: string + required: + - type + type: object + name: + description: Name is the name for this attestation. It is used + to refer to the attestation in verification + type: string + referrer: + description: Referrer defines the details of attestation attached + using OCI 1.1 format + properties: + type: + description: Type defines the type of attestation attached + to the image. + type: string + required: + - type + type: object + required: + - name + type: object + type: array + attestors: + description: Attestors provides a list of trusted authorities. + items: + description: Attestor is an identity that confirms or verifies the + authenticity of an image or an attestation + properties: + cosign: + description: Cosign defines attestor configuration for Cosign + based signatures + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + certificate: + description: Certificate defines the configuration for local + signature verification + properties: + cert: + description: Certificate is the to the public certificate + for local signature verification. + oneOf: + - required: + - value + - required: + - expression + properties: + expression: + description: Expression defines the a CEL expression + input. + type: string + value: + description: Value defines the raw string input. + type: string + type: object + certChain: + description: |- + CertificateChain is the list of CA certificates in PEM format which will be needed + when building the certificate chain for the signing certificate. Must start with the + parent intermediate CA certificate of the signing certificate and end with the root certificate + oneOf: + - required: + - value + - required: + - expression + properties: + expression: + description: Expression defines the a CEL expression + input. + type: string + value: + description: Value defines the raw string input. + type: string + type: object + type: object + ctlog: + description: CTLog sets the configuration to verify the + authority against a Rekor instance. + properties: + ctLogPubKey: + description: CTLogPubKey, if set, is used to validate + SCTs against a custom source. + type: string + insecureIgnoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + insecureIgnoreTlog: + description: InsecureIgnoreTlog skips transparency log + verification. + type: boolean + rekorPubKey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + url: + description: URL sets the url to the rekor instance + (by default the public rekor.sigstore.dev) + type: string + type: object + key: + description: Key defines the type of key to validate the + image. + properties: + data: + description: Data contains the inline public key + type: string + expression: + description: Expression is a Expression expression that + returns the public key. + type: string + hashAlgorithm: + description: |- + HashAlgorithm specifues signature algorithm for public keys. Supported values are + sha224, sha256, sha384 and sha512. Defaults to sha256. + type: string + kms: + description: |- + KMS contains the KMS url of the public key + Supported formats differ based on the KMS system used. + type: string + type: object + keyless: + description: Keyless sets the configuration to verify the + authority against a Fulcio instance. + properties: + identities: + description: Identities sets a list of identities. + items: + description: |- + Identity may contain the issuer and/or the subject found in the transparency + log. + Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp + apply a regexp for matching. + properties: + issuer: + description: Issuer defines the issuer for this + identity. + type: string + issuerRegExp: + description: IssuerRegExp specifies a regular + expression to match the issuer for this identity. + type: string + subject: + description: Subject defines the subject for this + identity. + type: string + subjectRegExp: + description: SubjectRegExp specifies a regular + expression to match the subject for this identity. + type: string + type: object + type: array + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + required: + - identities + type: object + source: + description: Sources sets the configuration to specify the + sources from where to consume the signature and attestations. + properties: + PullSecrets: + description: |- + SignaturePullSecrets is an optional list of references to secrets in the + same namespace as the deploying resource for pulling any of the signatures + used by this Source. + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + type: array + repository: + description: Repository defines the location from where + to pull the signature / attestations. + type: string + tagPrefix: + description: |- + TagPrefix is an optional prefix that signature and attestations have. + This is the 'tag based discovery' and in the future once references are + fully supported that should likely be the preferred way to handle these. + type: string + type: object + tuf: + description: TUF defines the configuration to fetch sigstore + root + properties: + mirror: + description: Mirror is the base URL of Sigstore TUF + repository + type: string + root: + description: Root defines the path or data of the trusted + root + properties: + data: + description: Data is the base64 encoded TUF root + type: string + path: + description: Path is the URL or File location of + the TUF root + type: string + type: object + type: object + type: object + name: + description: Name is the name for this attestor. It is used + to refer to the attestor in verification + type: string + notary: + description: Notary defines attestor configuration for Notary + based signatures + properties: + certs: + description: Certs define the cert chain for Notary signature + verification + oneOf: + - required: + - value + - required: + - expression + properties: + expression: + description: Expression defines the a CEL expression + input. + type: string + value: + description: Value defines the raw string input. + type: string + type: object + tsaCerts: + description: TSACerts define the cert chain for verifying + timestamps of notary signature + oneOf: + - required: + - value + - required: + - expression + properties: + expression: + description: Expression defines the a CEL expression + input. + type: string + value: + description: Value defines the raw string input. + type: string + type: object + type: object + required: + - name + type: object + type: array + auditAnnotations: + description: |- + auditAnnotations contains CEL expressions which are used to produce audit + annotations for the audit event of the API request. + validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is + required. + items: + description: AuditAnnotation describes how to produce an audit annotation + for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + x-kubernetes-list-type: atomic + autogen: + description: AutogenConfiguration defines the configuration for the + generation controller. + properties: + podControllers: + description: PodControllers specifies whether to generate a pod + controllers rules. + properties: + controllers: + items: + type: string + type: array + type: object + type: object + credentials: + description: Credentials provides credentials that will be used for + authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure access to a + registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: CredentialsProvidersType provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + evaluation: + description: EvaluationConfiguration defines the configuration for + the policy evaluation. + properties: + admission: + description: Admission controls policy evaluation during admission. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + type: object + background: + description: Background controls policy evaluation during background + scan. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + type: object + mode: + description: |- + Mode is the mode of policy evaluation. + Allowed values are "Kubernetes" or "JSON". + Optional. Default value is "Kubernetes". + type: string + type: object + failurePolicy: + description: |- + FailurePolicy defines how to handle failures for the admission policy. Failures can + occur from CEL expression parse errors, type check errors, runtime errors and invalid + or mis-configured policy definitions or bindings. + enum: + - Ignore + - Fail + type: string + images: + description: ImageExtractors is a list of CEL expression to extract + images from the resource + items: + properties: + expression: + description: Expression defines CEL expression to extract images + from the resource. + type: string + name: + description: Name is the name for this imageList. It is used + to refer to the images in verification block as images. + type: string + required: + - expression + - name + type: object + type: array + matchConditions: + description: |- + MatchConditions is a list of conditions that must be met for a request to be validated. + Match conditions filter requests that have already been matched by the rules, + namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. + There are a maximum of 64 match conditions allowed. + items: + description: MatchCondition represents a condition which must by + fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + matchConstraints: + description: MatchConstraints specifies what resources this policy + is designed to validate. + properties: + excludeResourceRules: + description: |- + ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. + The exclude rules take precedence over include rules (if a resource matches both, it is excluded) + items: + description: NamedRuleWithOperations is a tuple of Operations + and Resources with ResourceNames. + properties: + apiGroups: + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an operation for + a request. + type: string + type: array + x-kubernetes-list-type: atomic + resourceNames: + description: ResourceNames is an optional white list of + names that the rule applies to. An empty set means that + everything is allowed. + items: + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + Resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + matchPolicy: + description: |- + matchPolicy defines how the "MatchResources" list is used to match incoming requests. + Allowed values are "Exact" or "Equivalent". + + - Exact: match a request only if it exactly matches a specified rule. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy. + + - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy. + + Defaults to "Equivalent" + type: string + namespaceSelector: + description: |- + NamespaceSelector decides whether to run the admission control policy on an object based + on whether the namespace for that object matches the selector. If the + object itself is a namespace, the matching is performed on + object.metadata.labels. If the object is another cluster scoped resource, + it never skips the policy. + + For example, to run the webhook on any objects whose namespace is not + associated with "runlevel" of "0" or "1"; you will set the selector as + follows: + "namespaceSelector": { + "matchExpressions": [ + { + "key": "runlevel", + "operator": "NotIn", + "values": [ + "0", + "1" + ] + } + ] + } + + If instead you want to only run the policy on any objects whose + namespace is associated with the "environment" of "prod" or "staging"; + you will set the selector as follows: + "namespaceSelector": { + "matchExpressions": [ + { + "key": "environment", + "operator": "In", + "values": [ + "prod", + "staging" + ] + } + ] + } + + See + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + for more examples of label selectors. + + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + objectSelector: + description: |- + ObjectSelector decides whether to run the validation based on if the + object has matching labels. objectSelector is evaluated against both + the oldObject and newObject that would be sent to the cel validation, and + is considered to match if either object matches the selector. A null + object (oldObject in the case of create, or newObject in the case of + delete) or an object that cannot have labels (like a + DeploymentRollback or a PodProxyOptions object) is not considered to + match. + Use the object selector only if the webhook is opt-in, because end + users may skip the admission webhook by setting the labels. + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resourceRules: + description: |- + ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. + The policy cares about an operation if it matches _any_ Rule. + items: + description: NamedRuleWithOperations is a tuple of Operations + and Resources with ResourceNames. + properties: + apiGroups: + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an operation for + a request. + type: string + type: array + x-kubernetes-list-type: atomic + resourceNames: + description: ResourceNames is an optional white list of + names that the rule applies to. An empty set means that + everything is allowed. + items: + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + Resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + matchImageReferences: + description: |- + MatchImageReferences is a list of Glob and CELExpressions to match images. + Any image that matches one of the rules is considered for validation + Any image that does not match a rule is skipped, even when they are passed as arguments to + image verification functions + items: + description: MatchImageReference defines a Glob or a CEL expression + for matching images + oneOf: + - required: + - glob + - required: + - expression + properties: + expression: + description: Expression defines CEL Expressions for matching + images + type: string + glob: + description: Glob defines a globbing pattern for matching images + type: string + type: object + type: array + validationActions: + description: |- + ValidationAction specifies the action to be taken when the matched resource violates the policy. + Required. + items: + description: ValidationAction specifies a policy enforcement action. + enum: + - Deny + - Audit + - Warn + type: string + type: array + x-kubernetes-list-type: set + validationConfigurations: + default: {} + description: ValidationConfigurations defines settings for mutating + and verifying image digests, and enforcing image verification through + signatures. + properties: + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + required: + default: true + description: Required validates that images are verified, i.e., + have passed a signature or attestation check. + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images have a digest. + type: boolean + type: object + validations: + description: Validations contain CEL expressions which is used to + apply the image validation checks. + items: + description: Validation specifies the CEL expression which is used + to apply the validation. + properties: + expression: + description: "Expression represents the expression which will + be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, + organized into CEL variables as well as some other useful + variables:\n\n- 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' - The + existing object. The value is null for CREATE requests.\n- + 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by the policy binding + being evaluated. Only populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming + object belongs to. The value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, from its name to + its lazily evaluated value.\n For example, a variable named + 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform authorization checks + for the principal (user or service account) of the request.\n + \ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed + from the 'authorizer' and configured with the\n request resource.\n\nThe + `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. No other + metadata properties are accessible.\n\nOnly property names + of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible + property names are escaped according to the following rules + when accessed in the expression:\n- '__' escapes to '__underscores__'\n- + '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' + escapes to '__slash__'\n- Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", + \"const\", \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", + \"return\".\nExamples:\n - Expression accessing a property + named \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression + accessing a property named \"redact__d\": {\"Expression\": + \"object.redact__underscores__d > 0\"}\n\nEquality on arrays + with list type of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type + use the semantics of the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements in `X` are + preserved and\n non-intersecting elements in `Y` are appended, + retaining their partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys in `X` are preserved + but the values\n are overwritten by values in `Y` when + the key sets of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining their partial + order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + items: + description: Variable is the definition of a variable that is used + for composition. A variable is defined as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + webhookConfiguration: + description: WebhookConfiguration defines the configuration for the + webhook. + properties: + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + required: + - attestors + - validations + type: object + status: + description: Status contains policy runtime data. + properties: + autogen: + properties: + configs: + additionalProperties: + properties: + spec: + description: ImageValidatingPolicySpec is the specification + of the desired behavior of the ImageValidatingPolicy. + properties: + attestations: + description: Attestations provides a list of image metadata + to verify + items: + description: Attestation defines the identification + details of the metadata that has to be verified + properties: + intoto: + description: InToto defines the details of attestation + attached using intoto format + properties: + type: + description: Type defines the type of attestation + contained within the statement. + type: string + required: + - type + type: object + name: + description: Name is the name for this attestation. + It is used to refer to the attestation in verification + type: string + referrer: + description: Referrer defines the details of attestation + attached using OCI 1.1 format + properties: + type: + description: Type defines the type of attestation + attached to the image. + type: string + required: + - type + type: object + required: + - name + type: object + type: array + attestors: + description: Attestors provides a list of trusted authorities. + items: + description: Attestor is an identity that confirms + or verifies the authenticity of an image or an attestation + properties: + cosign: + description: Cosign defines attestor configuration + for Cosign based signatures + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + certificate: + description: Certificate defines the configuration + for local signature verification + properties: + cert: + description: Certificate is the to the + public certificate for local signature + verification. + oneOf: + - required: + - value + - required: + - expression + properties: + expression: + description: Expression defines the + a CEL expression input. + type: string + value: + description: Value defines the raw + string input. + type: string + type: object + certChain: + description: |- + CertificateChain is the list of CA certificates in PEM format which will be needed + when building the certificate chain for the signing certificate. Must start with the + parent intermediate CA certificate of the signing certificate and end with the root certificate + oneOf: + - required: + - value + - required: + - expression + properties: + expression: + description: Expression defines the + a CEL expression input. + type: string + value: + description: Value defines the raw + string input. + type: string + type: object + type: object + ctlog: + description: CTLog sets the configuration + to verify the authority against a Rekor + instance. + properties: + ctLogPubKey: + description: CTLogPubKey, if set, is used + to validate SCTs against a custom source. + type: string + insecureIgnoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + insecureIgnoreTlog: + description: InsecureIgnoreTlog skips + transparency log verification. + type: boolean + rekorPubKey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + tsaCertChain: + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. + type: string + url: + description: URL sets the url to the rekor + instance (by default the public rekor.sigstore.dev) + type: string + type: object + key: + description: Key defines the type of key to + validate the image. + properties: + data: + description: Data contains the inline + public key + type: string + expression: + description: Expression is a Expression + expression that returns the public key. + type: string + hashAlgorithm: + description: |- + HashAlgorithm specifues signature algorithm for public keys. Supported values are + sha224, sha256, sha384 and sha512. Defaults to sha256. + type: string + kms: + description: |- + KMS contains the KMS url of the public key + Supported formats differ based on the KMS system used. + type: string + type: object + keyless: + description: Keyless sets the configuration + to verify the authority against a Fulcio + instance. + properties: + identities: + description: Identities sets a list of + identities. + items: + description: |- + Identity may contain the issuer and/or the subject found in the transparency + log. + Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp + apply a regexp for matching. + properties: + issuer: + description: Issuer defines the + issuer for this identity. + type: string + issuerRegExp: + description: IssuerRegExp specifies + a regular expression to match + the issuer for this identity. + type: string + subject: + description: Subject defines the + subject for this identity. + type: string + subjectRegExp: + description: SubjectRegExp specifies + a regular expression to match + the subject for this identity. + type: string + type: object + type: array + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + required: + - identities + type: object + source: + description: Sources sets the configuration + to specify the sources from where to consume + the signature and attestations. + properties: + PullSecrets: + description: |- + SignaturePullSecrets is an optional list of references to secrets in the + same namespace as the deploying resource for pulling any of the signatures + used by this Source. + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + type: array + repository: + description: Repository defines the location + from where to pull the signature / attestations. + type: string + tagPrefix: + description: |- + TagPrefix is an optional prefix that signature and attestations have. + This is the 'tag based discovery' and in the future once references are + fully supported that should likely be the preferred way to handle these. + type: string + type: object + tuf: + description: TUF defines the configuration + to fetch sigstore root + properties: + mirror: + description: Mirror is the base URL of + Sigstore TUF repository + type: string + root: + description: Root defines the path or + data of the trusted root + properties: + data: + description: Data is the base64 encoded + TUF root + type: string + path: + description: Path is the URL or File + location of the TUF root + type: string + type: object + type: object + type: object + name: + description: Name is the name for this attestor. + It is used to refer to the attestor in verification + type: string + notary: + description: Notary defines attestor configuration + for Notary based signatures + properties: + certs: + description: Certs define the cert chain for + Notary signature verification + oneOf: + - required: + - value + - required: + - expression + properties: + expression: + description: Expression defines the a + CEL expression input. + type: string + value: + description: Value defines the raw string + input. + type: string + type: object + tsaCerts: + description: TSACerts define the cert chain + for verifying timestamps of notary signature + oneOf: + - required: + - value + - required: + - expression + properties: + expression: + description: Expression defines the a + CEL expression input. + type: string + value: + description: Value defines the raw string + input. + type: string + type: object + type: object + required: + - name + type: object + type: array + auditAnnotations: + description: |- + auditAnnotations contains CEL expressions which are used to produce audit + annotations for the audit event of the API request. + validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is + required. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + x-kubernetes-list-type: atomic + autogen: + description: AutogenConfiguration defines the configuration + for the generation controller. + properties: + podControllers: + description: PodControllers specifies whether to + generate a pod controllers rules. + properties: + controllers: + items: + type: string + type: array + type: object + type: object + credentials: + description: Credentials provides credentials that will + be used for authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: CredentialsProvidersType provides + the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + evaluation: + description: EvaluationConfiguration defines the configuration + for the policy evaluation. + properties: + admission: + description: Admission controls policy evaluation + during admission. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + type: object + background: + description: Background controls policy evaluation + during background scan. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + type: object + mode: + description: |- + Mode is the mode of policy evaluation. + Allowed values are "Kubernetes" or "JSON". + Optional. Default value is "Kubernetes". + type: string + type: object + failurePolicy: + description: |- + FailurePolicy defines how to handle failures for the admission policy. Failures can + occur from CEL expression parse errors, type check errors, runtime errors and invalid + or mis-configured policy definitions or bindings. + enum: + - Ignore + - Fail + type: string + images: + description: ImageExtractors is a list of CEL expression + to extract images from the resource + items: + properties: + expression: + description: Expression defines CEL expression + to extract images from the resource. + type: string + name: + description: Name is the name for this imageList. + It is used to refer to the images in verification + block as images. + type: string + required: + - expression + - name + type: object + type: array + matchConditions: + description: |- + MatchConditions is a list of conditions that must be met for a request to be validated. + Match conditions filter requests that have already been matched by the rules, + namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. + There are a maximum of 64 match conditions allowed. + items: + description: MatchCondition represents a condition + which must by fulfilled for a request to be sent + to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + matchConstraints: + description: MatchConstraints specifies what resources + this policy is designed to validate. + properties: + excludeResourceRules: + description: |- + ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. + The exclude rules take precedence over include rules (if a resource matches both, it is excluded) + items: + description: NamedRuleWithOperations is a tuple + of Operations and Resources with ResourceNames. + properties: + apiGroups: + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an + operation for a request. + type: string + type: array + x-kubernetes-list-type: atomic + resourceNames: + description: ResourceNames is an optional + white list of names that the rule applies + to. An empty set means that everything + is allowed. + items: + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + Resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + matchPolicy: + description: |- + matchPolicy defines how the "MatchResources" list is used to match incoming requests. + Allowed values are "Exact" or "Equivalent". + + - Exact: match a request only if it exactly matches a specified rule. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy. + + - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy. + + Defaults to "Equivalent" + type: string + namespaceSelector: + description: |- + NamespaceSelector decides whether to run the admission control policy on an object based + on whether the namespace for that object matches the selector. If the + object itself is a namespace, the matching is performed on + object.metadata.labels. If the object is another cluster scoped resource, + it never skips the policy. + + For example, to run the webhook on any objects whose namespace is not + associated with "runlevel" of "0" or "1"; you will set the selector as + follows: + "namespaceSelector": { + "matchExpressions": [ + { + "key": "runlevel", + "operator": "NotIn", + "values": [ + "0", + "1" + ] + } + ] + } + + If instead you want to only run the policy on any objects whose + namespace is associated with the "environment" of "prod" or "staging"; + you will set the selector as follows: + "namespaceSelector": { + "matchExpressions": [ + { + "key": "environment", + "operator": "In", + "values": [ + "prod", + "staging" + ] + } + ] + } + + See + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + for more examples of label selectors. + + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + objectSelector: + description: |- + ObjectSelector decides whether to run the validation based on if the + object has matching labels. objectSelector is evaluated against both + the oldObject and newObject that would be sent to the cel validation, and + is considered to match if either object matches the selector. A null + object (oldObject in the case of create, or newObject in the case of + delete) or an object that cannot have labels (like a + DeploymentRollback or a PodProxyOptions object) is not considered to + match. + Use the object selector only if the webhook is opt-in, because end + users may skip the admission webhook by setting the labels. + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resourceRules: + description: |- + ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. + The policy cares about an operation if it matches _any_ Rule. + items: + description: NamedRuleWithOperations is a tuple + of Operations and Resources with ResourceNames. + properties: + apiGroups: + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an + operation for a request. + type: string + type: array + x-kubernetes-list-type: atomic + resourceNames: + description: ResourceNames is an optional + white list of names that the rule applies + to. An empty set means that everything + is allowed. + items: + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + Resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + matchImageReferences: + description: |- + MatchImageReferences is a list of Glob and CELExpressions to match images. + Any image that matches one of the rules is considered for validation + Any image that does not match a rule is skipped, even when they are passed as arguments to + image verification functions + items: + description: MatchImageReference defines a Glob or + a CEL expression for matching images + oneOf: + - required: + - glob + - required: + - expression + properties: + expression: + description: Expression defines CEL Expressions + for matching images + type: string + glob: + description: Glob defines a globbing pattern for + matching images + type: string + type: object + type: array + validationActions: + description: |- + ValidationAction specifies the action to be taken when the matched resource violates the policy. + Required. + items: + description: ValidationAction specifies a policy enforcement + action. + enum: + - Deny + - Audit + - Warn + type: string + type: array + x-kubernetes-list-type: set + validationConfigurations: + default: {} + description: ValidationConfigurations defines settings + for mutating and verifying image digests, and enforcing + image verification through signatures. + properties: + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + required: + default: true + description: Required validates that images are + verified, i.e., have passed a signature or attestation + check. + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images + have a digest. + type: boolean + type: object + validations: + description: Validations contain CEL expressions which + is used to apply the image validation checks. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources.\n- 'variables' - Map of composited + variables, from its name to its lazily evaluated + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are + escaped according to the following rules when + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting + elements in `Y` are appended, retaining their + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + items: + description: Variable is the definition of a variable + that is used for composition. A variable is defined + as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + webhookConfiguration: + description: WebhookConfiguration defines the configuration + for the webhook. + properties: + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + required: + - attestors + - validations + type: object + required: + - spec + type: object + type: object + type: object + conditionStatus: + description: ConditionStatus is the shared status across all policy + types + properties: + conditions: + items: + description: Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + message: + description: |- + Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy + It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. + type: string + ready: + description: |- + The ready of a policy is a high-level summary of where the policy is in its lifecycle. + The conditions array, the reason and message fields contain more detail about the policy's status. + type: boolean + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/k3-kyverno-test/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_policyexceptions.yaml b/k3-kyverno-test/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_policyexceptions.yaml new file mode 100644 index 0000000..436542b --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_policyexceptions.yaml @@ -0,0 +1,113 @@ +{{- if .Values.groups.policies.policyexceptions }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: policyexceptions.policies.kyverno.io +spec: + group: policies.kyverno.io + names: + kind: PolicyException + listKind: PolicyExceptionList + plural: policyexceptions + singular: policyexception + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: PolicyException declares resources to be excluded from specified + policies. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy exception behaviors. + properties: + matchConditions: + description: MatchConditions is a list of CEL expressions that must + be met for a resource to be excluded. + items: + description: MatchCondition represents a condition which must by + fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + policyRefs: + description: PolicyRefs identifies the policies to which the exception + is applied. + items: + properties: + kind: + description: Kind is the kind of the policy + type: string + name: + description: Name is the name of the policy + type: string + required: + - kind + - name + type: object + type: array + required: + - policyRefs + type: object + required: + - spec + type: object + served: true + storage: true +{{- end }} diff --git a/k3-kyverno-test/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml b/k3-kyverno-test/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml new file mode 100644 index 0000000..6668d6e --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml @@ -0,0 +1,1523 @@ +{{- if .Values.groups.policies.validatingpolicies }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: validatingpolicies.policies.kyverno.io +spec: + group: policies.kyverno.io + names: + categories: + - kyverno + kind: ValidatingPolicy + listKind: ValidatingPolicyList + plural: validatingpolicies + shortNames: + - vpol + singular: validatingpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .status.conditionStatus.ready + name: READY + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ValidatingPolicySpec is the specification of the desired + behavior of the ValidatingPolicy. + properties: + auditAnnotations: + description: |- + auditAnnotations contains CEL expressions which are used to produce audit + annotations for the audit event of the API request. + validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is + required. + items: + description: AuditAnnotation describes how to produce an audit annotation + for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + x-kubernetes-list-type: atomic + autogen: + description: AutogenConfiguration defines the configuration for the + generation controller. + properties: + podControllers: + description: PodControllers specifies whether to generate a pod + controllers rules. + properties: + controllers: + items: + type: string + type: array + type: object + validatingAdmissionPolicy: + description: ValidatingAdmissionPolicy specifies whether to generate + a Kubernetes ValidatingAdmissionPolicy. + properties: + enabled: + description: |- + Enabled specifies whether to generate a Kubernetes ValidatingAdmissionPolicy. + Optional. Defaults to "false" if not specified. + type: boolean + type: object + type: object + evaluation: + description: EvaluationConfiguration defines the configuration for + the policy evaluation. + properties: + admission: + description: Admission controls policy evaluation during admission. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + type: object + background: + description: Background controls policy evaluation during background + scan. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + type: object + mode: + description: |- + Mode is the mode of policy evaluation. + Allowed values are "Kubernetes" or "JSON". + Optional. Default value is "Kubernetes". + type: string + type: object + failurePolicy: + description: |- + failurePolicy defines how to handle failures for the admission policy. Failures can + occur from CEL expression parse errors, type check errors, runtime errors and invalid + or mis-configured policy definitions or bindings. + + failurePolicy does not define how validations that evaluate to false are handled. + + When failurePolicy is set to Fail, the validationActions field define how failures are enforced. + + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + matchConditions: + description: |- + MatchConditions is a list of conditions that must be met for a request to be validated. + Match conditions filter requests that have already been matched by the rules, + namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. + There are a maximum of 64 match conditions allowed. + + If a parameter object is provided, it can be accessed via the `params` handle in the same + manner as validation expressions. + + The exact matching logic is (in order): + 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. + 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. + 3. If any matchCondition evaluates to an error (but none are FALSE): + - If failurePolicy=Fail, reject the request + - If failurePolicy=Ignore, the policy is skipped + items: + description: MatchCondition represents a condition which must by + fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + matchConstraints: + description: |- + MatchConstraints specifies what resources this policy is designed to validate. + The AdmissionPolicy cares about a request if it matches _all_ Constraints. + Required. + properties: + excludeResourceRules: + description: |- + ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. + The exclude rules take precedence over include rules (if a resource matches both, it is excluded) + items: + description: NamedRuleWithOperations is a tuple of Operations + and Resources with ResourceNames. + properties: + apiGroups: + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an operation for + a request. + type: string + type: array + x-kubernetes-list-type: atomic + resourceNames: + description: ResourceNames is an optional white list of + names that the rule applies to. An empty set means that + everything is allowed. + items: + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + Resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + matchPolicy: + description: |- + matchPolicy defines how the "MatchResources" list is used to match incoming requests. + Allowed values are "Exact" or "Equivalent". + + - Exact: match a request only if it exactly matches a specified rule. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy. + + - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy. + + Defaults to "Equivalent" + type: string + namespaceSelector: + description: |- + NamespaceSelector decides whether to run the admission control policy on an object based + on whether the namespace for that object matches the selector. If the + object itself is a namespace, the matching is performed on + object.metadata.labels. If the object is another cluster scoped resource, + it never skips the policy. + + For example, to run the webhook on any objects whose namespace is not + associated with "runlevel" of "0" or "1"; you will set the selector as + follows: + "namespaceSelector": { + "matchExpressions": [ + { + "key": "runlevel", + "operator": "NotIn", + "values": [ + "0", + "1" + ] + } + ] + } + + If instead you want to only run the policy on any objects whose + namespace is associated with the "environment" of "prod" or "staging"; + you will set the selector as follows: + "namespaceSelector": { + "matchExpressions": [ + { + "key": "environment", + "operator": "In", + "values": [ + "prod", + "staging" + ] + } + ] + } + + See + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + for more examples of label selectors. + + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + objectSelector: + description: |- + ObjectSelector decides whether to run the validation based on if the + object has matching labels. objectSelector is evaluated against both + the oldObject and newObject that would be sent to the cel validation, and + is considered to match if either object matches the selector. A null + object (oldObject in the case of create, or newObject in the case of + delete) or an object that cannot have labels (like a + DeploymentRollback or a PodProxyOptions object) is not considered to + match. + Use the object selector only if the webhook is opt-in, because end + users may skip the admission webhook by setting the labels. + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resourceRules: + description: |- + ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. + The policy cares about an operation if it matches _any_ Rule. + items: + description: NamedRuleWithOperations is a tuple of Operations + and Resources with ResourceNames. + properties: + apiGroups: + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an operation for + a request. + type: string + type: array + x-kubernetes-list-type: atomic + resourceNames: + description: ResourceNames is an optional white list of + names that the rule applies to. An empty set means that + everything is allowed. + items: + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + Resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + validationActions: + description: |- + ValidationAction specifies the action to be taken when the matched resource violates the policy. + Required. + items: + description: ValidationAction specifies a policy enforcement action. + enum: + - Deny + - Audit + - Warn + type: string + type: array + x-kubernetes-list-type: set + validations: + description: |- + Validations contain CEL expressions which is used to apply the validation. + Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is + required. + items: + description: Validation specifies the CEL expression which is used + to apply the validation. + properties: + expression: + description: "Expression represents the expression which will + be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, + organized into CEL variables as well as some other useful + variables:\n\n- 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' - The + existing object. The value is null for CREATE requests.\n- + 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by the policy binding + being evaluated. Only populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming + object belongs to. The value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, from its name to + its lazily evaluated value.\n For example, a variable named + 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform authorization checks + for the principal (user or service account) of the request.\n + \ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed + from the 'authorizer' and configured with the\n request resource.\n\nThe + `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. No other + metadata properties are accessible.\n\nOnly property names + of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible + property names are escaped according to the following rules + when accessed in the expression:\n- '__' escapes to '__underscores__'\n- + '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' + escapes to '__slash__'\n- Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", + \"const\", \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", + \"return\".\nExamples:\n - Expression accessing a property + named \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression + accessing a property named \"redact__d\": {\"Expression\": + \"object.redact__underscores__d > 0\"}\n\nEquality on arrays + with list type of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type + use the semantics of the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements in `X` are + preserved and\n non-intersecting elements in `Y` are appended, + retaining their partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys in `X` are preserved + but the values\n are overwritten by values in `Y` when + the key sets of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining their partial + order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy + except MatchConditions because MatchConditions are evaluated before the rest of the policy. + + The expression of a variable can refer to other variables defined earlier in the list but not those after. + Thus, Variables must be sorted by the order of first appearance and acyclic. + items: + description: Variable is the definition of a variable that is used + for composition. A variable is defined as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + webhookConfiguration: + description: WebhookConfiguration defines the configuration for the + webhook. + properties: + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + type: object + status: + description: Status contains policy runtime data. + properties: + autogen: + properties: + configs: + additionalProperties: + properties: + spec: + description: ValidatingPolicySpec is the specification of + the desired behavior of the ValidatingPolicy. + properties: + auditAnnotations: + description: |- + auditAnnotations contains CEL expressions which are used to produce audit + annotations for the audit event of the API request. + validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is + required. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + x-kubernetes-list-type: atomic + autogen: + description: AutogenConfiguration defines the configuration + for the generation controller. + properties: + podControllers: + description: PodControllers specifies whether to + generate a pod controllers rules. + properties: + controllers: + items: + type: string + type: array + type: object + validatingAdmissionPolicy: + description: ValidatingAdmissionPolicy specifies + whether to generate a Kubernetes ValidatingAdmissionPolicy. + properties: + enabled: + description: |- + Enabled specifies whether to generate a Kubernetes ValidatingAdmissionPolicy. + Optional. Defaults to "false" if not specified. + type: boolean + type: object + type: object + evaluation: + description: EvaluationConfiguration defines the configuration + for the policy evaluation. + properties: + admission: + description: Admission controls policy evaluation + during admission. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + type: object + background: + description: Background controls policy evaluation + during background scan. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + type: object + mode: + description: |- + Mode is the mode of policy evaluation. + Allowed values are "Kubernetes" or "JSON". + Optional. Default value is "Kubernetes". + type: string + type: object + failurePolicy: + description: |- + failurePolicy defines how to handle failures for the admission policy. Failures can + occur from CEL expression parse errors, type check errors, runtime errors and invalid + or mis-configured policy definitions or bindings. + + failurePolicy does not define how validations that evaluate to false are handled. + + When failurePolicy is set to Fail, the validationActions field define how failures are enforced. + + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + matchConditions: + description: |- + MatchConditions is a list of conditions that must be met for a request to be validated. + Match conditions filter requests that have already been matched by the rules, + namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. + There are a maximum of 64 match conditions allowed. + + If a parameter object is provided, it can be accessed via the `params` handle in the same + manner as validation expressions. + + The exact matching logic is (in order): + 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. + 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. + 3. If any matchCondition evaluates to an error (but none are FALSE): + - If failurePolicy=Fail, reject the request + - If failurePolicy=Ignore, the policy is skipped + items: + description: MatchCondition represents a condition + which must by fulfilled for a request to be sent + to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + matchConstraints: + description: |- + MatchConstraints specifies what resources this policy is designed to validate. + The AdmissionPolicy cares about a request if it matches _all_ Constraints. + Required. + properties: + excludeResourceRules: + description: |- + ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. + The exclude rules take precedence over include rules (if a resource matches both, it is excluded) + items: + description: NamedRuleWithOperations is a tuple + of Operations and Resources with ResourceNames. + properties: + apiGroups: + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an + operation for a request. + type: string + type: array + x-kubernetes-list-type: atomic + resourceNames: + description: ResourceNames is an optional + white list of names that the rule applies + to. An empty set means that everything + is allowed. + items: + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + Resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + matchPolicy: + description: |- + matchPolicy defines how the "MatchResources" list is used to match incoming requests. + Allowed values are "Exact" or "Equivalent". + + - Exact: match a request only if it exactly matches a specified rule. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy. + + - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy. + + Defaults to "Equivalent" + type: string + namespaceSelector: + description: |- + NamespaceSelector decides whether to run the admission control policy on an object based + on whether the namespace for that object matches the selector. If the + object itself is a namespace, the matching is performed on + object.metadata.labels. If the object is another cluster scoped resource, + it never skips the policy. + + For example, to run the webhook on any objects whose namespace is not + associated with "runlevel" of "0" or "1"; you will set the selector as + follows: + "namespaceSelector": { + "matchExpressions": [ + { + "key": "runlevel", + "operator": "NotIn", + "values": [ + "0", + "1" + ] + } + ] + } + + If instead you want to only run the policy on any objects whose + namespace is associated with the "environment" of "prod" or "staging"; + you will set the selector as follows: + "namespaceSelector": { + "matchExpressions": [ + { + "key": "environment", + "operator": "In", + "values": [ + "prod", + "staging" + ] + } + ] + } + + See + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + for more examples of label selectors. + + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + objectSelector: + description: |- + ObjectSelector decides whether to run the validation based on if the + object has matching labels. objectSelector is evaluated against both + the oldObject and newObject that would be sent to the cel validation, and + is considered to match if either object matches the selector. A null + object (oldObject in the case of create, or newObject in the case of + delete) or an object that cannot have labels (like a + DeploymentRollback or a PodProxyOptions object) is not considered to + match. + Use the object selector only if the webhook is opt-in, because end + users may skip the admission webhook by setting the labels. + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resourceRules: + description: |- + ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. + The policy cares about an operation if it matches _any_ Rule. + items: + description: NamedRuleWithOperations is a tuple + of Operations and Resources with ResourceNames. + properties: + apiGroups: + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an + operation for a request. + type: string + type: array + x-kubernetes-list-type: atomic + resourceNames: + description: ResourceNames is an optional + white list of names that the rule applies + to. An empty set means that everything + is allowed. + items: + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + Resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + validationActions: + description: |- + ValidationAction specifies the action to be taken when the matched resource violates the policy. + Required. + items: + description: ValidationAction specifies a policy enforcement + action. + enum: + - Deny + - Audit + - Warn + type: string + type: array + x-kubernetes-list-type: set + validations: + description: |- + Validations contain CEL expressions which is used to apply the validation. + Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is + required. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources.\n- 'variables' - Map of composited + variables, from its name to its lazily evaluated + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are + escaped according to the following rules when + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting + elements in `Y` are appended, retaining their + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy + except MatchConditions because MatchConditions are evaluated before the rest of the policy. + + The expression of a variable can refer to other variables defined earlier in the list but not those after. + Thus, Variables must be sorted by the order of first appearance and acyclic. + items: + description: Variable is the definition of a variable + that is used for composition. A variable is defined + as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + webhookConfiguration: + description: WebhookConfiguration defines the configuration + for the webhook. + properties: + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + type: object + required: + - spec + type: object + type: object + type: object + conditionStatus: + description: ConditionStatus is the shared status across all policy + types + properties: + conditions: + items: + description: Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + message: + description: |- + Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy + It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. + type: string + ready: + description: |- + The ready of a policy is a high-level summary of where the policy is in its lifecycle. + The conditions array, the reason and message fields contain more detail about the policy's status. + type: boolean + type: object + generated: + description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy + is generated from the policy or not + type: boolean + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/k3-kyverno-test/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml b/k3-kyverno-test/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml new file mode 100644 index 0000000..de4c67f --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml @@ -0,0 +1,342 @@ +{{- if .Values.groups.reports.clusterephemeralreports }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: clusterephemeralreports.reports.kyverno.io +spec: + group: reports.kyverno.io + names: + categories: + - kyverno + kind: ClusterEphemeralReport + listKind: ClusterEphemeralReportList + plural: clusterephemeralreports + shortNames: + - cephr + singular: clusterephemeralreport + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.labels['audit\.kyverno\.io/source'] + name: Source + type: string + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.group'] + name: Group + type: string + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.kind'] + name: Kind + type: string + - jsonPath: .metadata.annotations['audit\.kyverno\.io/resource\.name'] + name: Owner + type: string + - jsonPath: .spec.summary.pass + name: Pass + type: integer + - jsonPath: .spec.summary.fail + name: Fail + type: integer + - jsonPath: .spec.summary.warn + name: Warn + type: integer + - jsonPath: .spec.summary.error + name: Error + type: integer + - jsonPath: .spec.summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.uid'] + name: Uid + type: string + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] + name: Hash + priority: 1 + type: string + name: v1 + schema: + openAPIV3Schema: + description: ClusterEphemeralReport is the Schema for the ClusterEphemeralReports + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + owner: + description: Owner is a reference to the report owner (e.g. a Deployment, + Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + blockOwnerDeletion: + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. + type: boolean + controller: + description: If true, this reference points to the managing controller. + type: boolean + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids + type: string + required: + - apiVersion + - kind + - name + - uid + type: object + x-kubernetes-map-type: atomic + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for + the policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for + the policy rule + type: object + resourceSelector: + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resources: + description: Subjects is an optional reference to the checked + Kubernetes resources + items: + description: ObjectReference contains enough information to + let you inspect or modify the referred object. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + type: array + result: + description: Result indicates the outcome of the policy rule + execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within + the policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not + be evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not + selected for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose + requirements were not met + type: integer + type: object + required: + - owner + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +{{- end }} diff --git a/k3-kyverno-test/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml b/k3-kyverno-test/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml new file mode 100644 index 0000000..8a994e1 --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml @@ -0,0 +1,342 @@ +{{- if .Values.groups.reports.ephemeralreports }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: ephemeralreports.reports.kyverno.io +spec: + group: reports.kyverno.io + names: + categories: + - kyverno + kind: EphemeralReport + listKind: EphemeralReportList + plural: ephemeralreports + shortNames: + - ephr + singular: ephemeralreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.labels['audit\.kyverno\.io/source'] + name: Source + type: string + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.group'] + name: Group + type: string + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.kind'] + name: Kind + type: string + - jsonPath: .metadata.annotations['audit\.kyverno\.io/resource\.name'] + name: Owner + type: string + - jsonPath: .spec.summary.pass + name: Pass + type: integer + - jsonPath: .spec.summary.fail + name: Fail + type: integer + - jsonPath: .spec.summary.warn + name: Warn + type: integer + - jsonPath: .spec.summary.error + name: Error + type: integer + - jsonPath: .spec.summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.uid'] + name: Uid + priority: 1 + type: string + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] + name: Hash + priority: 1 + type: string + name: v1 + schema: + openAPIV3Schema: + description: EphemeralReport is the Schema for the EphemeralReports API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + owner: + description: Owner is a reference to the report owner (e.g. a Deployment, + Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + blockOwnerDeletion: + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. + type: boolean + controller: + description: If true, this reference points to the managing controller. + type: boolean + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids + type: string + required: + - apiVersion + - kind + - name + - uid + type: object + x-kubernetes-map-type: atomic + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for + the policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for + the policy rule + type: object + resourceSelector: + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resources: + description: Subjects is an optional reference to the checked + Kubernetes resources + items: + description: ObjectReference contains enough information to + let you inspect or modify the referred object. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + type: array + result: + description: Result indicates the outcome of the policy rule + execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within + the policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not + be evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not + selected for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose + requirements were not met + type: integer + type: object + required: + - owner + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +{{- end }} diff --git a/k3-kyverno-test/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml b/k3-kyverno-test/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml new file mode 100644 index 0000000..a656677 --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml @@ -0,0 +1,368 @@ +{{- if .Values.groups.wgpolicyk8s.clusterpolicyreports }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: clusterpolicyreports.wgpolicyk8s.io +spec: + group: wgpolicyk8s.io + names: + kind: ClusterPolicyReport + listKind: ClusterPolicyReportList + plural: clusterpolicyreports + shortNames: + - cpolr + singular: clusterpolicyreport + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + type: string + - jsonPath: .scope.name + name: Name + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: ClusterPolicyReport is the Schema for the clusterpolicyreports + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for the + policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the + policy rule + type: object + resourceSelector: + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resources: + description: Subjects is an optional reference to the checked Kubernetes + resources + items: + description: ObjectReference contains enough information to let + you inspect or modify the referred object. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within the + policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + scopeSelector: + description: |- + ScopeSelector is an optional selector for multiple scopes (e.g. Pods). + Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose + requirements were not met + type: integer + type: object + type: object + served: true + storage: true + subresources: {} +{{- end }} diff --git a/k3-kyverno-test/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml b/k3-kyverno-test/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml new file mode 100644 index 0000000..b5bd0c4 --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml @@ -0,0 +1,367 @@ +{{- if .Values.groups.wgpolicyk8s.policyreports }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno.crds.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.17.3 + name: policyreports.wgpolicyk8s.io +spec: + group: wgpolicyk8s.io + names: + kind: PolicyReport + listKind: PolicyReportList + plural: policyreports + shortNames: + - polr + singular: policyreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + type: string + - jsonPath: .scope.name + name: Name + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: PolicyReport is the Schema for the policyreports API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for the + policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the + policy rule + type: object + resourceSelector: + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resources: + description: Subjects is an optional reference to the checked Kubernetes + resources + items: + description: ObjectReference contains enough information to let + you inspect or modify the referred object. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within the + policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + scopeSelector: + description: |- + ScopeSelector is an optional selector for multiple scopes (e.g. Pods). + Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose + requirements were not met + type: integer + type: object + type: object + served: true + storage: true + subresources: {} +{{- end }} diff --git a/k3-kyverno-test/kyverno/charts/crds/values.yaml b/k3-kyverno-test/kyverno/charts/crds/values.yaml new file mode 100644 index 0000000..b4a213e --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/crds/values.yaml @@ -0,0 +1,45 @@ +# -- Internal settings used with `helm template` to generate install manifest +# @ignored +templating: + enabled: false + debug: false + version: ~ + +groups: + # -- Install CRDs in group `kyverno.io` + # -- This field can be overwritten by setting crds.labels in the parent chart + kyverno: + cleanuppolicies: true + clustercleanuppolicies: true + clusterpolicies: true + globalcontextentries: true + policies: true + policyexceptions: true + updaterequests: true + + # -- Install CRDs in group `reports.kyverno.io` + policies: + validatingpolicies: true + imagevalidatingpolicies: true + policyexceptions: true + + # -- This field can be overwritten by setting crds.labels in the parent chart + reports: + clusterephemeralreports: true + ephemeralreports: true + + # -- Install CRDs in group `wgpolicyk8s.io` + # -- This field can be overwritten by setting crds.labels in the parent chart + wgpolicyk8s: + clusterpolicyreports: true + policyreports: true + +# -- Additional CRDs annotations +# -- This field can be overwritten by setting crds.annotations in the parent chart +annotations: {} + # argocd.argoproj.io/sync-options: Replace=true + # strategy.spinnaker.io/replace: 'true' + +# -- Additional CRDs labels +# -- This field can be overwritten by setting crds.labels in the parent chart +customLabels: {} diff --git a/k3-kyverno-test/kyverno/charts/grafana/Chart.yaml b/k3-kyverno-test/kyverno/charts/grafana/Chart.yaml new file mode 100644 index 0000000..445be12 --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/grafana/Chart.yaml @@ -0,0 +1,3 @@ +apiVersion: v2 +name: grafana +version: 3.4.1 diff --git a/k3-kyverno-test/kyverno/charts/grafana/README.md b/k3-kyverno-test/kyverno/charts/grafana/README.md new file mode 100644 index 0000000..1616732 --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/grafana/README.md @@ -0,0 +1,16 @@ +# grafana + +![Version: 3.4.1](https://img.shields.io/badge/Version-3.4.1-informational?style=flat-square) + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| configMapName | string | `"{{ include \"kyverno.fullname\" . }}-grafana"` | Configmap name template. | +| namespace | string | `nil` | Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed. | +| annotations | object | `{}` | Grafana dashboard configmap annotations. | +| labels | object | `{"grafana_dashboard":"1"}` | Grafana dashboard configmap labels | +| grafanaDashboard | object | `{"create":false,"matchLabels":{"dashboards":"grafana"}}` | create GrafanaDashboard custom resource referencing to the configMap. according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/ | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/k3-kyverno-test/kyverno/charts/grafana/dashboard/kyverno-dashboard.json b/k3-kyverno-test/kyverno/charts/grafana/dashboard/kyverno-dashboard.json new file mode 100644 index 0000000..660a535 --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/grafana/dashboard/kyverno-dashboard.json @@ -0,0 +1,3439 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 472, + "links": [], + "panels": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "gridPos": { + "h": 6, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 42, + "options": { + "code": { + "language": "plaintext", + "showLineNumbers": false, + "showMiniMap": false + }, + "content": "# Kyverno\nA Kubernetes-native policy management engine\n\n#### About this dashboard\n\nThis dashboard represents generic insights that can be extracted from a cluster with Kyverno running.\n\n#### For more details around the metrics\n\nCheckout the [official docs of Kyverno metrics](https://kyverno.io/docs/monitoring/)", + "mode": "markdown" + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "refId": "A" + } + ], + "transparent": true, + "type": "text" + }, + { + "collapsed": false, + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 6 + }, + "id": 12, + "panels": [], + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "refId": "A" + } + ], + "title": "Latest Status", + "type": "row" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "max": 100, + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 0 + }, + { + "color": "#eab839", + "value": 25 + }, + { + "color": "red", + "value": 50 + }, + { + "color": "red", + "value": 100 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 6, + "x": 0, + "y": 7 + }, + "id": 29, + "options": { + "minVizHeight": 75, + "minVizWidth": 75, + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": true, + "sizing": "auto", + "text": {} + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_policy_results_total{rule_result=\"fail\", cluster=~\"$cluster\"}[24h]) or vector(0))*100/sum(increase(kyverno_policy_results_total{cluster=~\"$cluster\"}[24h]))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Rule Execution Failure Rate (Last 24 Hours)", + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 5, + "w": 4, + "x": 8, + "y": 7 + }, + "id": 2, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{policy_type=\"cluster\",cluster=~\"$cluster\"}==1) by (policy_name))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Cluster Policies", + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 5, + "w": 4, + "x": 12, + "y": 7 + }, + "id": 3, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{policy_type=\"namespaced\", cluster=~\"$cluster\"}==1) by (policy_name))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Policies", + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "max": 100, + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 0 + }, + { + "color": "#eab839", + "value": 25 + }, + { + "color": "red", + "value": 50 + }, + { + "color": "red", + "value": 100 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 6, + "x": 18, + "y": 7 + }, + "id": 28, + "options": { + "minVizHeight": 75, + "minVizWidth": 75, + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": true, + "sizing": "auto", + "text": {} + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_policy_results_total{rule_result=\"fail\", policy_background_mode=\"true\", cluster=~\"$cluster\"}[24h]) or vector(0))*100/sum(increase(kyverno_policy_results_total{policy_background_mode=\"true\", cluster=~\"$cluster\"}[24h]))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Background Scans Failure Rate (Last 24 Hours)", + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 6, + "y": 12 + }, + "id": 4, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{rule_type=\"validate\", cluster=~\"$cluster\"}==1) by (rule_name))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Validate Rules", + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 10, + "y": 12 + }, + "id": 23, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{rule_type=\"mutate\", cluster=~\"$cluster\"}==1) by (rule_name))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Mutate Rules", + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 14, + "y": 12 + }, + "id": 6, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{rule_type=\"generate\", cluster=~\"$cluster\"}==1) by (rule_name))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Generate Rules", + "type": "stat" + }, + { + "collapsed": false, + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 16 + }, + "id": 26, + "panels": [], + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "refId": "A" + } + ], + "title": "Policy-Rule Results", + "type": "row" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "pass" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "rgb(43, 219, 23)", + "mode": "fixed" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "fail" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 17 + }, + "id": 15, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_policy_results_total{rule_execution_cause=\"admission_request\", cluster=~\"$cluster\"}[5m])) by (rule_result)", + "interval": "", + "legendFormat": "Admission Review Result: {{rule_result}}", + "refId": "A" + } + ], + "title": "Admission Review Results (per-rule)", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "pass" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "rgb(43, 219, 23)", + "mode": "fixed" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "fail" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 17 + }, + "id": 17, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_policy_results_total{rule_execution_cause=\"background_scan\", cluster=~\"$cluster\"}[5m])) by (rule_result)", + "interval": "", + "legendFormat": "Background Scan Result: {{rule_result}}", + "refId": "A" + } + ], + "title": "Background Scan Results (per-rule)", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "cluster" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#5794F2", + "mode": "fixed" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "namespaced" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + } + ] + }, + "gridPos": { + "h": 16, + "w": 8, + "x": 16, + "y": 17 + }, + "id": 30, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(sum(increase(kyverno_policy_results_total{rule_result=\"fail\", cluster=~\"$cluster\"}[5m])) by (policy_name, policy_type)) by (policy_type)", + "interval": "", + "legendFormat": "Policy Type: {{policy_type}}", + "refId": "A" + } + ], + "title": "Policy Failures", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "pass" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "rgb(43, 219, 23)", + "mode": "fixed" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "fail" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 25 + }, + "id": 31, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(sum(increase(kyverno_policy_results_total{rule_execution_cause=\"admission_request\", cluster=~\"$cluster\"}[5m])) by (policy_name, rule_result)) by (rule_result)", + "interval": "", + "legendFormat": "Admission Review Result: {{rule_result}}", + "refId": "A" + } + ], + "title": "Admission Review Results (per-policy)", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "pass" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "rgb(43, 219, 23)", + "mode": "fixed" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "fail" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 25 + }, + "id": 32, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(sum(increase(kyverno_policy_results_total{rule_execution_cause=\"background_scan\", cluster=~\"$cluster\"}[5m])) by (policy_name, rule_result)) by (rule_result)", + "interval": "", + "legendFormat": "Background Scan Result: {{rule_result}}", + "refId": "A" + } + ], + "title": "Background Scan Results (per-policy)", + "type": "timeseries" + }, + { + "collapsed": false, + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 33 + }, + "id": 19, + "panels": [], + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "refId": "A" + } + ], + "title": "Policy-Rule Info", + "type": "row" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "cluster" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#5794F2", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "namespaced" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#FF7383", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 34 + }, + "id": 16, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{cluster=~\"$cluster\"}==1) by (policy_name, policy_type)) by (policy_type)", + "interval": "", + "legendFormat": "Policy Type: {{policy_type}}", + "refId": "A" + } + ], + "title": "Active Policies (by policy type)", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "audit" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#37872D", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "enforce" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#FF9830", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 34 + }, + "id": 20, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{cluster=~\"$cluster\"}==1) by (policy_name, policy_validation_mode)) by (policy_validation_mode)", + "interval": "", + "legendFormat": "Policy Validation Mode: {{policy_validation_mode}}", + "refId": "A" + } + ], + "title": "Active Policies (by policy validation action)", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "cluster" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#B877D9", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 34 + }, + "id": 24, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{policy_background_mode=\"true\", cluster=~\"$cluster\"}==1) by (policy_name, policy_type)) by (policy_type)", + "interval": "", + "legendFormat": "Policy Type: {{policy_type}}", + "refId": "A" + } + ], + "title": "Active Policies running in background mode", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 42 + }, + "id": 21, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{policy_namespace!=\"-\", cluster=~\"$cluster\"}==1) by (policy_name, policy_namespace)) by (policy_namespace)", + "interval": "", + "legendFormat": "Namespace: {{policy_namespace}}", + "refId": "A" + } + ], + "title": "Active Namespaced Policies (by namespaces)", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "mutate" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "rgb(169, 58, 227)", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "validate" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "rgb(255, 232, 0)", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 42 + }, + "id": 14, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{cluster=~\"$cluster\"}==1) by (rule_type, rule_name)) by (rule_type)", + "interval": "", + "legendFormat": "Rule Type: {{rule_type}}", + "refId": "A" + } + ], + "title": "Active Rules (by rule type)", + "type": "timeseries" + }, + { + "collapsed": false, + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 50 + }, + "id": 34, + "panels": [], + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "refId": "A" + } + ], + "title": "Policy-Rule Execution Latency", + "type": "row" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 0, + "y": 51 + }, + "id": 36, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(rate(kyverno_policy_execution_duration_seconds_sum{cluster=~\"$cluster\"}[5m])) by (rule_type) / sum(rate(kyverno_policy_execution_duration_seconds_count{cluster=~\"$cluster\"}[5m])) by (rule_type)", + "interval": "", + "legendFormat": "Rule Type: {{rule_type}}", + "refId": "A" + } + ], + "title": "Average Rule Execution Latency Over Time", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "clocks" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "cluster" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#5794F2", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "namespaced" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 9, + "y": 51 + }, + "id": 37, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(rate(kyverno_policy_execution_duration_seconds_sum{cluster=~\"$cluster\"}[5m])) by (policy_type) / sum(rate(kyverno_policy_execution_duration_seconds_count{cluster=~\"$cluster\"}[5m])) by (policy_type)", + "interval": "", + "legendFormat": "Policy Type: {{policy_type}}", + "refId": "A" + } + ], + "title": "Average Policy Execution Latency Over Time", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "purple", + "value": null + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 51 + }, + "id": 39, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(kyverno_policy_execution_duration_seconds_sum{cluster=~\"$cluster\"}) / sum(kyverno_policy_execution_duration_seconds_count{cluster=~\"$cluster\"})", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Overall Average Rule Execution Latency", + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 55 + }, + "id": 40, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "avg(sum(kyverno_policy_execution_duration_seconds_sum{cluster=~\"$cluster\"}) by (policy_name, policy_type) / sum(kyverno_policy_execution_duration_seconds_count{cluster=~\"$cluster\"}) by (policy_name, policy_type))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Overall Average Policy Execution Latency", + "type": "stat" + }, + { + "collapsed": false, + "datasource": null, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 59 + }, + "id": 52, + "panels": [], + "targets": [ + { + "datasource": null, + "refId": "A" + } + ], + "title": "Admission Review Latency", + "type": "row" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 0, + "y": 60 + }, + "id": 53, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(rate(kyverno_admission_review_duration_seconds_sum{cluster=~\"$cluster\"}[5m])) by (resource_request_operation) / sum(rate(kyverno_admission_review_duration_seconds_count{cluster=~\"$cluster\"}[5m])) by (resource_request_operation)", + "interval": "", + "legendFormat": "Resource Operation: {{resource_request_operation}}", + "refId": "A" + } + ], + "title": "Avg - Admission Review Duration Over Time (by operation)", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 9, + "y": 60 + }, + "id": 54, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(rate(kyverno_admission_review_duration_seconds_sum{cluster=~\"$cluster\"}[5m])) by (resource_kind) / sum(rate(kyverno_admission_review_duration_seconds_count{cluster=~\"$cluster\"}[5m])) by (resource_kind)", + "interval": "", + "legendFormat": "Resource Kind: {{resource_kind}}", + "refId": "A" + } + ], + "title": "Avg - Admission Review Duration Over Time (by resource kind)", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 60 + }, + "id": 50, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_admission_requests_total{cluster=~\"$cluster\"}[5m]))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Rate - Incoming Admission Requests (per 5m)", + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "purple", + "value": null + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 64 + }, + "id": 55, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(kyverno_admission_review_duration_seconds_sum{cluster=~\"$cluster\"})/sum(kyverno_admission_review_duration_seconds_count{cluster=~\"$cluster\"})", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Avg - Overall Admission Review Duration", + "type": "stat" + }, + { + "collapsed": false, + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 68 + }, + "id": 8, + "panels": [], + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "refId": "A" + } + ], + "title": "Policy Changes", + "type": "row" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Change type: created" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#5794F2", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 0, + "y": 69 + }, + "id": 10, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_policy_changes_total{cluster=~\"$cluster\"}[5m])) by (policy_change_type)", + "interval": "", + "legendFormat": "Change type: {{policy_change_type}}", + "refId": "A" + } + ], + "title": "Policy Changes Over Time (by change type)", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "cluster" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 9, + "y": 69 + }, + "id": 13, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_policy_changes_total{cluster=~\"$cluster\"}[5m])) by (policy_type)", + "interval": "", + "legendFormat": "Policy Type: {{policy_type}}", + "refId": "A" + } + ], + "title": "Policy Changes Over Time (by policy type)", + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "orange", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 69 + }, + "id": 49, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_policy_changes_total{cluster=~\"$cluster\"}[24h]))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Total Policy Changes (Last 24 Hours)", + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 73 + }, + "id": 48, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(rate(kyverno_policy_changes_total{cluster=~\"$cluster\"}[5m]))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Rate - Policy Changes Happening (last 5m)", + "type": "stat" + }, + { + "collapsed": false, + "datasource": null, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 77 + }, + "id": 44, + "panels": [], + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "refId": "A" + } + ], + "title": "Admission Requests", + "type": "row" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Change type: created" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#5794F2", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 0, + "y": 78 + }, + "id": 45, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_admission_requests_total{cluster=~\"$cluster\"}[5m])) by (resource_request_operation)", + "interval": "", + "legendFormat": "Resource Operation: {{resource_request_operation}}", + "refId": "A" + } + ], + "title": "Admission Requests (by operation)", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Change type: created" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#5794F2", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 9, + "y": 78 + }, + "id": 46, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_admission_requests_total{cluster=~\"$cluster\"}[5m])) by (resource_kind)", + "interval": "", + "legendFormat": "Resource Kind: {{resource_kind}}", + "refId": "A" + } + ], + "title": "Admission Requests (by resource kind)", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "semi-dark-green", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 6, + "x": 18, + "y": 78 + }, + "id": 47, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.0", + "targets": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "exemplar": true, + "expr": "sum(increase(kyverno_admission_requests_total{cluster=~\"$cluster\"}[24h]))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Total Admission Requests (Last 24 Hours)", + "type": "stat" + } + ], + "refresh": false, + "schemaVersion": 39, + "tags": [], + "templating": { + "list": [ + { + "current": null, + "hide": 0, + "includeAll": false, + "label": "datasource", + "multi": false, + "name": "DS_PROMETHEUS_KYVERNO", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "allValue": ".*", + "current": { + "selected": false, + "text": [ + "All" + ], + "value": [ + "$__all" + ] + }, + "datasource": { + "uid": "${DS_PROMETHEUS_KYVERNO}" + }, + "definition": "label_values(kyverno_policy_results_total, cluster)", + "hide": 0, + "includeAll": true, + "label": "Cluster", + "multi": true, + "name": "cluster", + "options": [], + "query": "label_values(kyverno_policy_results_total, cluster)", + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "Kyverno Metrics", + "uid": "Rg8lWBG7k", + "version": 2, + "weekStart": "" + } diff --git a/k3-kyverno-test/kyverno/charts/grafana/templates/dashboard.yaml b/k3-kyverno-test/kyverno/charts/grafana/templates/dashboard.yaml new file mode 100644 index 0000000..376cc65 --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/grafana/templates/dashboard.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ tpl .Values.configMapName . }} + namespace: {{ default (include "kyverno.namespace" .) .Values.namespace }} + annotations: + {{- toYaml .Values.annotations | nindent 4 }} + labels: + {{- toYaml .Values.labels | nindent 4 }} +data: +{{ (.Files.Glob "dashboard/*").AsConfig | indent 2 }} +--- +{{- if .Values.grafanaDashboard.create -}} +{{ range $path, $_ := .Files.Glob "dashboard/*" -}} +{{ $name := base $path }} +apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDashboard +metadata: + name: {{ tpl $.Values.configMapName $ }}-{{ $name }} + namespace: {{ default (include "kyverno.namespace" $ ) $.Values.namespace }} +spec: + allowCrossNamespaceImport: {{ $.Values.grafanaDashboard.allowCrossNamespaceImport }} + folder: {{ $.Values.grafanaDashboard.folder }} + instanceSelector: + matchLabels: + {{- toYaml $.Values.grafanaDashboard.matchLabels | nindent 6 }} + configMapRef: + name: {{ tpl $.Values.configMapName $ }} + key: {{ $name }} +--- +{{ end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/charts/grafana/values.yaml b/k3-kyverno-test/kyverno/charts/grafana/values.yaml new file mode 100644 index 0000000..15babe2 --- /dev/null +++ b/k3-kyverno-test/kyverno/charts/grafana/values.yaml @@ -0,0 +1,20 @@ +# -- Configmap name template. +configMapName: '{{ include "kyverno.fullname" . }}-grafana' + +# -- (string) Namespace to create the grafana dashboard configmap. +# If not set, it will be created in the same namespace where the chart is deployed. +namespace: ~ + +# -- Grafana dashboard configmap annotations. +annotations: {} + +# -- Grafana dashboard configmap labels +labels: + grafana_dashboard: "1" + +# -- create GrafanaDashboard custom resource referencing to the configMap. +# according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/ +grafanaDashboard: + create: false + matchLabels: + dashboards: "grafana" diff --git a/k3-kyverno-test/kyverno/templates/NOTES.txt b/k3-kyverno-test/kyverno/templates/NOTES.txt new file mode 100644 index 0000000..4ee09d7 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/NOTES.txt @@ -0,0 +1,50 @@ +Chart version: {{ .Chart.Version }} +Kyverno version: {{ default .Chart.AppVersion (default .Values.admissionController.container.image.tag .Values.admissionController.initContainer.image.tag) }} + +Thank you for installing {{ .Chart.Name }}! Your release is named {{ .Release.Name }}. + +The following components have been installed in your cluster: +{{- if .Values.crds.install }} +- CRDs +{{- end }} +- Admission controller +{{- if .Values.reportsController.enabled }} +- Reports controller +{{- end }} +{{- if .Values.cleanupController.enabled }} +- Cleanup controller +{{- end }} +{{- if .Values.backgroundController.enabled }} +- Background controller +{{- end }} +{{- if .Values.grafana.enabled }} +- Grafana dashboard +{{- end }} + +{{ if not .Values.admissionController.replicas }} +⚠️ WARNING: Setting the admission controller replica count below 2 means Kyverno is not running in high availability mode. +{{- else if lt (int .Values.admissionController.replicas) 2 }} +⚠️ WARNING: Setting the admission controller replica count below 2 means Kyverno is not running in high availability mode. +{{- end }} + +{{- if semverCompare "<1.21.0" .Capabilities.KubeVersion.Version }} +⚠️ WARNING: The minimal Kubernetes version officially supported by Kyverno is 1.21. Earlier versions are untested and Kyverno is not guaranteed to work with Kubernetes {{ .Capabilities.KubeVersion.Version }}. +{{- end }} + +{{- with .Values.config.matchConditions }} +⚠️ WARNING: Match conditions require a Kubernetes 1.27+ cluster with `AdmissionWebhookMatchConditions` feature gate enabled. +{{- end }} + +{{- with .Values.features.generateValidatingAdmissionPolicy.enabled }} +⚠️ WARNING: Generating ValidatingAdmissionPolicy requires a Kubernetes 1.27+ cluster with `ValidatingAdmissionPolicy` feature gate and `admissionregistration.k8s.io` API group enabled. +{{- end }} + +{{- with .Values.features.validatingAdmissionPolicyReports.enabled }} +⚠️ WARNING: Generating reports from ValidatingAdmissionPolicies requires a Kubernetes 1.27+ cluster with `ValidatingAdmissionPolicy` feature gate and `admissionregistration.k8s.io` API group enabled. +{{- end }} + +{{ if not .Values.features.policyExceptions.enabled }} +⚠️ WARNING: PolicyExceptions are disabled by default. To enable them, set '--enablePolicyException' to true. +{{- end }} + +💡 Note: There is a trade-off when deciding which approach to take regarding Namespace exclusions. Please see the documentation at https://kyverno.io/docs/installation/#security-vs-operability to understand the risks. diff --git a/k3-kyverno-test/kyverno/templates/_helpers.tpl b/k3-kyverno-test/kyverno/templates/_helpers.tpl new file mode 100644 index 0000000..f9918d6 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/_helpers.tpl @@ -0,0 +1,119 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.chartVersion" -}} +{{- if .Values.templating.enabled -}} + {{- required "templating.version is required when templating.enabled is true" .Values.templating.version | replace "+" "_" -}} +{{- else -}} + {{- .Chart.Version | replace "+" "_" -}} +{{- end -}} +{{- end -}} + +{{- define "kyverno.features.flags" -}} +{{- $flags := list -}} +{{- with .admissionReports -}} + {{- $flags = append $flags (print "--admissionReports=" .enabled) -}} + {{- with .backPressureThreshold -}} + {{- $flags = append $flags (print "--maxAdmissionReports=" .) -}} + {{- end -}} +{{- end -}} +{{- with .aggregateReports -}} + {{- $flags = append $flags (print "--aggregateReports=" .enabled) -}} +{{- end -}} +{{- with .policyReports -}} + {{- $flags = append $flags (print "--policyReports=" .enabled) -}} +{{- end -}} +{{- with .validatingAdmissionPolicyReports -}} + {{- $flags = append $flags (print "--validatingAdmissionPolicyReports=" .enabled) -}} +{{- end -}} +{{- with .autoUpdateWebhooks -}} + {{- $flags = append $flags (print "--autoUpdateWebhooks=" .enabled) -}} +{{- end -}} +{{- with .backgroundScan -}} + {{- $flags = append $flags (print "--backgroundScan=" .enabled) -}} + {{- $flags = append $flags (print "--backgroundScanWorkers=" .backgroundScanWorkers) -}} + {{- $flags = append $flags (print "--backgroundScanInterval=" .backgroundScanInterval) -}} + {{- $flags = append $flags (print "--skipResourceFilters=" .skipResourceFilters) -}} +{{- end -}} +{{- with .configMapCaching -}} + {{- $flags = append $flags (print "--enableConfigMapCaching=" .enabled) -}} +{{- end -}} +{{- with .deferredLoading -}} + {{- $flags = append $flags (print "--enableDeferredLoading=" .enabled) -}} +{{- end -}} +{{- with .dumpPayload -}} + {{- $flags = append $flags (print "--dumpPayload=" .enabled) -}} +{{- end -}} +{{- with .forceFailurePolicyIgnore -}} + {{- $flags = append $flags (print "--forceFailurePolicyIgnore=" .enabled) -}} +{{- end -}} +{{- with .generateValidatingAdmissionPolicy -}} + {{- $flags = append $flags (print "--generateValidatingAdmissionPolicy=" .enabled) -}} +{{- end -}} +{{- with .dumpPatches -}} + {{- $flags = append $flags (print "--dumpPatches=" .enabled) -}} +{{- end -}} +{{- with .globalContext -}} + {{- $flags = append $flags (print "--maxAPICallResponseLength=" (int .maxApiCallResponseLength)) -}} +{{- end -}} +{{- with .logging -}} + {{- $flags = append $flags (print "--loggingFormat=" .format) -}} + {{- $flags = append $flags (print "--v=" (join "," .verbosity)) -}} +{{- end -}} +{{- with .omitEvents -}} + {{- with .eventTypes -}} + {{- $flags = append $flags (print "--omitEvents=" (join "," .)) -}} + {{- end -}} +{{- end -}} +{{- with .policyExceptions -}} + {{- $flags = append $flags (print "--enablePolicyException=" .enabled) -}} + {{- with .namespace -}} + {{- $flags = append $flags (print "--exceptionNamespace=" .) -}} + {{- end -}} +{{- end -}} +{{- with .protectManagedResources -}} + {{- $flags = append $flags (print "--protectManagedResources=" .enabled) -}} +{{- end -}} +{{- with .registryClient -}} + {{- $flags = append $flags (print "--allowInsecureRegistry=" .allowInsecure) -}} + {{- $flags = append $flags (print "--registryCredentialHelpers=" (join "," .credentialHelpers)) -}} +{{- end -}} +{{- with .ttlController -}} + {{- $flags = append $flags (print "--ttlReconciliationInterval=" .reconciliationInterval) -}} +{{- end -}} +{{- with .tuf -}} + {{- with .enabled -}} + {{- $flags = append $flags (print "--enableTuf=" .) -}} + {{- end -}} + {{- with .mirror -}} + {{- $flags = append $flags (print "--tufMirror=" .) -}} + {{- end -}} + {{- with .root -}} + {{- $flags = append $flags (print "--tufRoot=" .) -}} + {{- end -}} + {{- with .rootRaw -}} + {{- $flags = append $flags (print "--tufRootRaw=" .) -}} + {{- end -}} +{{- end -}} +{{- with .reporting -}} + {{- $reportingConfig := list -}} + {{- with .validate -}} + {{- $reportingConfig = append $reportingConfig "validate" -}} + {{- end -}} + {{- with .mutate -}} + {{- $reportingConfig = append $reportingConfig "mutate" -}} + {{- end -}} + {{- with .mutateExisting -}} + {{- $reportingConfig = append $reportingConfig "mutateExisting" -}} + {{- end -}} + {{- with .imageVerify -}} + {{- $reportingConfig = append $reportingConfig "imageVerify" -}} + {{- end -}} + {{- with .generate -}} + {{- $reportingConfig = append $reportingConfig "generate" -}} + {{- end -}} + {{- $flags = append $flags (print "--enableReporting=" (join "," $reportingConfig)) -}} +{{- end -}} +{{- with $flags -}} + {{- toYaml . -}} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/_helpers/_deployment.tpl b/k3-kyverno-test/kyverno/templates/_helpers/_deployment.tpl new file mode 100644 index 0000000..5898ed0 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/_helpers/_deployment.tpl @@ -0,0 +1,10 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.deployment.replicas" -}} + {{- if and (not (kindIs "invalid" .)) (not (kindIs "string" .)) -}} + {{- if eq (int .) 0 -}} + {{- fail "Kyverno does not support running with 0 replicas. Please provide a non-zero integer value." -}} + {{- end -}} + {{- end -}} + {{- . -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/_helpers/_flowcontrol.tpl b/k3-kyverno-test/kyverno/templates/_helpers/_flowcontrol.tpl new file mode 100644 index 0000000..d6fb107 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/_helpers/_flowcontrol.tpl @@ -0,0 +1,15 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.flowcontrol.apiVersion" -}} +{{- if .Capabilities.APIVersions.Has "flowcontrol.apiserver.k8s.io/v1" -}} + flowcontrol.apiserver.k8s.io/v1 +{{- else if .Capabilities.APIVersions.Has "flowcontrol.apiserver.k8s.io/v1beta3" -}} + flowcontrol.apiserver.k8s.io/v1beta3 +{{- else if .Capabilities.APIVersions.Has "flowcontrol.apiserver.k8s.io/v1beta2" -}} + flowcontrol.apiserver.k8s.io/v1beta2 +{{- else if .Capabilities.APIVersions.Has "flowcontrol.apiserver.k8s.io/v1beta1" -}} + flowcontrol.apiserver.k8s.io/v1beta1 +{{- else -}} + flowcontrol.apiserver.k8s.io/v1alpha1 +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/_helpers/_image.tpl b/k3-kyverno-test/kyverno/templates/_helpers/_image.tpl new file mode 100644 index 0000000..7f80491 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/_helpers/_image.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.image" -}} +{{- $tag := default .defaultTag .image.tag -}} +{{- if not (typeIs "string" $tag) -}} + {{ fail "Image tags must be strings." }} +{{- end -}} +{{- $imageRegistry := default (default .image.defaultRegistry .globalRegistry) .image.registry -}} +{{- if $imageRegistry -}} + {{- print $imageRegistry "/" (required "An image repository is required" .image.repository) ":" $tag -}} +{{- else -}} + {{- print (required "An image repository is required" .image.repository) ":" $tag -}} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/_helpers/_labels.tpl b/k3-kyverno-test/kyverno/templates/_helpers/_labels.tpl new file mode 100644 index 0000000..8207781 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/_helpers/_labels.tpl @@ -0,0 +1,43 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.labels.merge" -}} +{{- $labels := dict -}} +{{- range . -}} + {{- $labels = merge $labels (fromYaml .) -}} +{{- end -}} +{{- with $labels -}} + {{- toYaml $labels -}} +{{- end -}} +{{- end -}} + +{{- define "kyverno.labels.helm" -}} +{{- if not .Values.templating.enabled -}} +helm.sh/chart: {{ template "kyverno.chart" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} +{{- end -}} + +{{- define "kyverno.labels.version" -}} +app.kubernetes.io/version: {{ template "kyverno.chartVersion" . }} +{{- end -}} + +{{- define "kyverno.labels.common" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.labels.helm" .) + (include "kyverno.labels.version" .) + (toYaml .Values.customLabels) +) -}} +{{- end -}} + +{{- define "kyverno.matchLabels.common" -}} +app.kubernetes.io/part-of: {{ template "kyverno.fullname" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{- define "kyverno.labels.component" -}} +app.kubernetes.io/component: {{ . }} +{{- end -}} + +{{- define "kyverno.labels.name" -}} +app.kubernetes.io/name: {{ . }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/_helpers/_names.tpl b/k3-kyverno-test/kyverno/templates/_helpers/_names.tpl new file mode 100644 index 0000000..90ed08f --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/_helpers/_names.tpl @@ -0,0 +1,26 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "kyverno.fullname" -}} +{{- if .Values.fullnameOverride -}} + {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- $name := default .Chart.Name .Values.nameOverride -}} + {{- if contains $name .Release.Name -}} + {{- .Release.Name | trunc 63 | trimSuffix "-" -}} + {{- else -}} + {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{- define "kyverno.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "kyverno.namespace" -}} +{{ default .Release.Namespace .Values.namespaceOverride }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/_helpers/_pdb.tpl b/k3-kyverno-test/kyverno/templates/_helpers/_pdb.tpl new file mode 100644 index 0000000..7453303 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/_helpers/_pdb.tpl @@ -0,0 +1,21 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.pdb.apiVersion" -}} +{{- if .Values.apiVersionOverride.podDisruptionBudget -}} + {{- .Values.apiVersionOverride.podDisruptionBudget -}} +{{- else -}} + policy/v1 +{{- end -}} +{{- end -}} + +{{- define "kyverno.pdb.spec" -}} +{{- if and .minAvailable .maxUnavailable -}} + {{- fail "Cannot set both .minAvailable and .maxUnavailable" -}} +{{- end -}} +{{- if not .maxUnavailable }} +minAvailable: {{ default 1 .minAvailable }} +{{- end }} +{{- if .maxUnavailable }} +maxUnavailable: {{ .maxUnavailable }} +{{- end }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/_templating/_helpers.tpl b/k3-kyverno-test/kyverno/templates/_templating/_helpers.tpl new file mode 100644 index 0000000..36650be --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/_templating/_helpers.tpl @@ -0,0 +1,8 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.templating.labels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.labels.common" .) + (include "kyverno.matchLabels.common" .) +) -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/_templating/namespace.yaml b/k3-kyverno-test/kyverno/templates/_templating/namespace.yaml new file mode 100644 index 0000000..b213c83 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/_templating/namespace.yaml @@ -0,0 +1,8 @@ +{{- if .Values.templating.enabled -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kyverno.namespace" . }} + labels: + {{- include "kyverno.templating.labels" . | nindent 4 }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/admission-controller/_helpers.tpl b/k3-kyverno-test/kyverno/templates/admission-controller/_helpers.tpl new file mode 100644 index 0000000..0be041a --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/admission-controller/_helpers.tpl @@ -0,0 +1,39 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.admission-controller.name" -}} +{{ template "kyverno.name" . }}-admission-controller +{{- end -}} + +{{- define "kyverno.admission-controller.labels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.labels.common" .) + (include "kyverno.admission-controller.matchLabels" .) +) -}} +{{- end -}} + +{{- define "kyverno.admission-controller.matchLabels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.matchLabels.common" .) + (include "kyverno.labels.component" "admission-controller") +) -}} +{{- end -}} + +{{- define "kyverno.admission-controller.roleName" -}} +{{ include "kyverno.fullname" . }}:admission-controller +{{- end -}} + +{{- define "kyverno.admission-controller.serviceAccountName" -}} +{{- if .Values.admissionController.rbac.create -}} + {{ default (include "kyverno.admission-controller.name" .) .Values.admissionController.rbac.serviceAccount.name }} +{{- else -}} + {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.admissionController.rbac.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{- define "kyverno.admission-controller.serviceName" -}} +{{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "kyverno.admission-controller.caCertificatesConfigMapName" -}} +{{ printf "%s-ca-certificates" (include "kyverno.admission-controller.name" .) }} +{{- end -}} \ No newline at end of file diff --git a/k3-kyverno-test/kyverno/templates/admission-controller/clusterrole.yaml b/k3-kyverno-test/kyverno/templates/admission-controller/clusterrole.yaml new file mode 100644 index 0000000..4b88f57 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/admission-controller/clusterrole.yaml @@ -0,0 +1,207 @@ +{{- if .Values.admissionController.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.admission-controller.roleName" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.kyverno.io/aggregate-to-admission-controller: "true" + - matchLabels: + {{- include "kyverno.admission-controller.matchLabels" . | nindent 8 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.admission-controller.roleName" . }}:core + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + finalizers: + - kyverno.io/webhooks + - kyverno.io/exceptionwebhooks + - kyverno.io/globalcontextwebhooks + {{- end }} + {{- end }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +rules: + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + {{- if .Values.features.generateValidatingAdmissionPolicy.enabled }} + - validatingadmissionpolicies + - validatingadmissionpolicybindings + {{- end }} + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - clusterroles + - rolebindings + - clusterrolebindings + verbs: + - get + - list + - watch + - apiGroups: + - kyverno.io + resources: + - policies + - policies/status + - clusterpolicies + - clusterpolicies/status + - updaterequests + - updaterequests/status + - globalcontextentries + - globalcontextentries/status + - policyexceptions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - policies.kyverno.io + resources: + - validatingpolicies + - validatingpolicies/status + - policyexceptions + - imagevalidatingpolicies + - imagevalidatingpolicies/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - reports.kyverno.io + resources: + - ephemeralreports + - clusterephemeralreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - wgpolicyk8s.io + resources: + - policyreports + - policyreports/status + - clusterpolicyreports + - clusterpolicyreports/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - '' + - events.k8s.io + resources: + - events + verbs: + - create + - update + - patch + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - '' + resources: + - configmaps + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - update + - patch + - get + - list + - watch + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + resourceNames: + - {{ template "kyverno.admission-controller.roleName" . }} + - {{ template "kyverno.admission-controller.roleName" . }}:core + - {{ template "kyverno.admission-controller.roleName" . }}:temporary + verbs: + - get + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + verbs: + - create + - list + {{- end }} + {{- end }} +{{- with .Values.admissionController.rbac.coreClusterRole.extraResources }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- with .Values.admissionController.rbac.clusterRole.extraResources }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.admission-controller.roleName" $ }}:additional + labels: + {{- include "kyverno.admission-controller.labels" $ | nindent 4 }} +rules: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} diff --git a/k3-kyverno-test/kyverno/templates/admission-controller/clusterrolebinding.yaml b/k3-kyverno-test/kyverno/templates/admission-controller/clusterrolebinding.yaml new file mode 100644 index 0000000..4cd35b6 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/admission-controller/clusterrolebinding.yaml @@ -0,0 +1,33 @@ +{{- if .Values.admissionController.rbac.create -}} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.admission-controller.roleName" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kyverno.admission-controller.roleName" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kyverno.admission-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- if .Values.admissionController.rbac.createViewRoleBinding }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.admission-controller.roleName" . }}:view + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.admissionController.rbac.viewRoleName }} +subjects: + - kind: ServiceAccount + name: {{ template "kyverno.admission-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/admission-controller/configmap.yaml b/k3-kyverno-test/kyverno/templates/admission-controller/configmap.yaml new file mode 100644 index 0000000..d0b2bf6 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/admission-controller/configmap.yaml @@ -0,0 +1,12 @@ +{{- if or .Values.admissionController.caCertificates.data .Values.global.caCertificates.data }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kyverno.admission-controller.caCertificatesConfigMapName" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +data: + ca-certificates: | + {{ .Values.admissionController.caCertificates.data | default .Values.global.caCertificates.data | indent 4 | trim }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/admission-controller/deployment.yaml b/k3-kyverno-test/kyverno/templates/admission-controller/deployment.yaml new file mode 100644 index 0000000..7c61fe6 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/admission-controller/deployment.yaml @@ -0,0 +1,292 @@ +{{- if not .Values.templating.debug -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "kyverno.admission-controller.name" . }} + namespace: {{ template "kyverno.namespace" . }} + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + finalizers: + - kyverno.io/webhooks + - kyverno.io/exceptionwebhooks + - kyverno.io/globalcontextwebhooks + {{- end }} + {{- end }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} + {{- with .Values.admissionController.annotations }} + annotations: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} +spec: + replicas: {{ template "kyverno.deployment.replicas" .Values.admissionController.replicas }} + revisionHistoryLimit: {{ .Values.admissionController.revisionHistoryLimit }} + {{- with .Values.admissionController.updateStrategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 8 }} + {{- with .Values.admissionController.podLabels }} + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.admissionController.podAnnotations }} + annotations: {{ tpl (toYaml .) $ | nindent 8 }} + {{- end }} + spec: + {{- with .Values.admissionController.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.admissionController.podSecurityContext }} + securityContext: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.admissionController.nodeSelector | default .Values.global.nodeSelector }} + nodeSelector: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.admissionController.tolerations | default .Values.global.tolerations}} + tolerations: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.admissionController.topologySpreadConstraints }} + topologySpreadConstraints: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.admissionController.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} + {{- with .Values.admissionController.hostNetwork }} + hostNetwork: {{ . }} + {{- end }} + {{- with .Values.admissionController.dnsPolicy }} + dnsPolicy: {{ . }} + {{- end }} + {{- with .Values.admissionController.dnsConfig }} + dnsConfig: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- if or .Values.admissionController.antiAffinity.enabled .Values.admissionController.podAffinity .Values.admissionController.nodeAffinity }} + affinity: + {{- if .Values.admissionController.antiAffinity.enabled }} + {{- with .Values.admissionController.podAntiAffinity }} + podAntiAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- end }} + {{- with .Values.admissionController.podAffinity }} + podAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.admissionController.nodeAffinity }} + nodeAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{ template "kyverno.admission-controller.serviceAccountName" . }} + initContainers: + {{- with .Values.admissionController.extraInitContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} + - name: kyverno-pre + image: {{ include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.admissionController.initContainer.image "defaultTag" (default .Chart.AppVersion .Values.admissionController.container.image.tag)) | quote }} + imagePullPolicy: {{ default .Values.admissionController.container.image.pullPolicy .Values.admissionController.initContainer.image.pullPolicy }} + args: + {{- include "kyverno.features.flags" (pick (mergeOverwrite (deepCopy .Values.features) .Values.admissionController.featuresOverride) + "logging" + ) | nindent 12 }} + {{- range $key, $value := .Values.admissionController.initContainer.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} + {{- with .Values.admissionController.initContainer.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .Values.admissionController.initContainer.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: KYVERNO_SERVICEACCOUNT_NAME + value: {{ template "kyverno.admission-controller.serviceAccountName" . }} + - name: KYVERNO_ROLE_NAME + value: {{ template "kyverno.admission-controller.roleName" . }} + - name: INIT_CONFIG + value: {{ template "kyverno.config.configMapName" . }} + - name: METRICS_CONFIG + value: {{ template "kyverno.config.metricsConfigMapName" . }} + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KYVERNO_DEPLOYMENT + value: {{ template "kyverno.admission-controller.name" . }} + - name: KYVERNO_SVC + value: {{ template "kyverno.admission-controller.serviceName" . }} + {{- with (concat .Values.global.extraEnvVars .Values.admissionController.initContainer.extraEnvVars) }} + {{- toYaml . | nindent 10 }} + {{- end }} + containers: + {{- with .Values.admissionController.extraContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} + - name: kyverno + image: {{ include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.admissionController.container.image "defaultTag" .Chart.AppVersion) | quote }} + imagePullPolicy: {{ .Values.admissionController.container.image.pullPolicy }} + args: + - --caSecretName={{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca + - --tlsSecretName={{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair + - --backgroundServiceAccountName=system:serviceaccount:{{ include "kyverno.namespace" . }}:{{ include "kyverno.background-controller.serviceAccountName" . }} + - --reportsServiceAccountName=system:serviceaccount:{{ include "kyverno.namespace" . }}:{{ include "kyverno.reports-controller.serviceAccountName" . }} + - --servicePort={{ .Values.admissionController.service.port }} + - --webhookServerPort={{ .Values.admissionController.webhookServer.port }} + - --resyncPeriod={{ .Values.admissionController.resyncPeriod | default .Values.global.resyncPeriod }} + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + - --autoDeleteWebhooks + {{- end }} + {{- if .Values.admissionController.tracing.enabled }} + - --enableTracing + - --tracingAddress={{ .Values.admissionController.tracing.address }} + - --tracingPort={{ .Values.admissionController.tracing.port }} + {{- with .Values.admissionController.tracing.creds }} + - --tracingCreds={{ . }} + {{- end }} + {{- end }} + - --disableMetrics={{ .Values.admissionController.metering.disabled }} + {{- if not .Values.admissionController.metering.disabled }} + - --otelConfig={{ .Values.admissionController.metering.config }} + - --metricsPort={{ .Values.admissionController.metering.port }} + {{- with .Values.admissionController.metering.collector }} + - --otelCollector={{ . }} + {{- end }} + {{- with .Values.admissionController.metering.creds }} + - --transportCreds={{ . }} + {{- end }} + {{- end }} + {{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }} + - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }} + {{- end }} + {{- include "kyverno.features.flags" (pick (mergeOverwrite (deepCopy .Values.features) .Values.admissionController.featuresOverride) + "reporting" + "admissionReports" + "autoUpdateWebhooks" + "configMapCaching" + "deferredLoading" + "dumpPayload" + "forceFailurePolicyIgnore" + "generateValidatingAdmissionPolicy" + "dumpPatches" + "globalContext" + "logging" + "omitEvents" + "policyExceptions" + "protectManagedResources" + "registryClient" + "tuf" + ) | nindent 12 }} + {{- range $key, $value := .Values.admissionController.container.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} + {{ if .Values.admissionController.profiling.enabled }} + - --profile=true + - --profilePort={{ .Values.admissionController.profiling.port }} + {{- end }} + {{- with .Values.admissionController.container.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .Values.admissionController.container.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + ports: + - containerPort: {{ .Values.admissionController.webhookServer.port }} + name: https + protocol: TCP + - containerPort: {{ .Values.admissionController.metering.port }} + name: metrics-port + protocol: TCP + {{ if .Values.admissionController.profiling.enabled }} + - containerPort: {{ .Values.admissionController.profiling.port }} + name: profiling-port + protocol: TCP + {{- end }} + env: + - name: INIT_CONFIG + value: {{ template "kyverno.config.configMapName" . }} + - name: METRICS_CONFIG + value: {{ template "kyverno.config.metricsConfigMapName" . }} + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KYVERNO_SERVICEACCOUNT_NAME + value: {{ template "kyverno.admission-controller.serviceAccountName" . }} + - name: KYVERNO_ROLE_NAME + value: {{ template "kyverno.admission-controller.roleName" . }} + - name: KYVERNO_SVC + value: {{ template "kyverno.admission-controller.serviceName" . }} + - name: TUF_ROOT + value: {{ .Values.admissionController.tufRootMountPath }} + {{- with (concat .Values.global.extraEnvVars .Values.admissionController.container.extraEnvVars) }} + {{- toYaml . | nindent 10 }} + {{- end }} + - name: KYVERNO_DEPLOYMENT + value: {{ template "kyverno.admission-controller.name" . }} + {{- with .Values.admissionController.startupProbe }} + startupProbe: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .Values.admissionController.livenessProbe }} + livenessProbe: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .Values.admissionController.readinessProbe }} + readinessProbe: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.admissionController.tufRootMountPath }} + name: sigstore + {{- if or .Values.admissionController.caCertificates.data .Values.global.caCertificates.data .Values.admissionController.caCertificates.volume .Values.global.caCertificates.volume }} + - name: ca-certificates + mountPath: /etc/ssl/certs/ca-certificates.crt + {{- if or .Values.admissionController.caCertificates.data .Values.global.caCertificates.data }} + subPath: ca-certificates.crt + {{- end }} + {{- end }} + volumes: + - name: sigstore + {{- toYaml (required "A valid .Values.admissionController.sigstoreVolume entry is required" .Values.admissionController.sigstoreVolume) | nindent 8 }} + {{- if or .Values.admissionController.caCertificates.data .Values.global.caCertificates.data }} + - name: ca-certificates + configMap: + name: {{ include "kyverno.admission-controller.caCertificatesConfigMapName" . }} + items: + - key: ca-certificates + path: ca-certificates.crt + {{- else if or .Values.admissionController.caCertificates.volume .Values.global.caCertificates.volume }} + {{- with (.Values.admissionController.caCertificates.volume | default .Values.global.caCertificates.volume) }} + - name: ca-certificates + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/admission-controller/flowschema.yaml b/k3-kyverno-test/kyverno/templates/admission-controller/flowschema.yaml new file mode 100644 index 0000000..779eeef --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/admission-controller/flowschema.yaml @@ -0,0 +1,222 @@ +{{- if .Values.admissionController.apiPriorityAndFairness }} +apiVersion: {{ template "kyverno.flowcontrol.apiVersion" . }} +kind: FlowSchema +metadata: + name: {{ template "kyverno.admission-controller.name" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +spec: + priorityLevelConfiguration: + name: {{ template "kyverno.admission-controller.name" . }} + rules: + - resourceRules: + - apiGroups: + - admissionregistration.k8s.io + clusterScope: true + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - rbac.authorization.k8s.io + clusterScope: true + resources: + - clusterroles + - clusterrolebindings + verbs: + - watch + - list + - apiGroups: + - rbac.authorization.k8s.io + namespaces: + - '*' + resources: + - roles + - rolebindings + verbs: + - watch + - list + - apiGroups: + - kyverno.io + clusterScope: true + resources: + - clusterpolicies + - clusterpolicies/status + - globalcontextentries + - globalcontextentries/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - kyverno.io + namespaces: + - '*' + resources: + - policies + - policies/status + - updaterequests + - updaterequests/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - reports.kyverno.io + clusterScope: true + resources: + - clusterephemeralreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - reports.kyverno.io + namespaces: + - '*' + resources: + - ephemeralreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - wgpolicyk8s.io + clusterScope: true + resources: + - clusterpolicyreports + - clusterpolicyreports/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - wgpolicyk8s.io + namespaces: + - '*' + resources: + - policyreports + - policyreports/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - "" + - events.k8s.io + namespaces: + - '*' + resources: + - events + verbs: + - create + - update + - patch + - apiGroups: + - authorization.k8s.io + clusterScope: true + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - '*' + namespaces: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + - apiGroups: + - '' + namespaces: + - {{ template "kyverno.namespace" . }} + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - apiGroups: + - '' + namespaces: + - {{ template "kyverno.namespace" . }} + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - coordination.k8s.io + namespaces: + - {{ template "kyverno.namespace" . }} + resources: + - leases + verbs: + - create + - delete + - get + - patch + - update + - apiGroups: + - apps + namespaces: + - {{ template "kyverno.namespace" . }} + resources: + - deployments + - deployments/scale + verbs: + - get + - list + - watch + - patch + - update + subjects: + - kind: ServiceAccount + serviceAccount: + name: {{ template "kyverno.admission-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- end }} \ No newline at end of file diff --git a/k3-kyverno-test/kyverno/templates/admission-controller/horizontalpodautoscaler.yaml b/k3-kyverno-test/kyverno/templates/admission-controller/horizontalpodautoscaler.yaml new file mode 100644 index 0000000..3179de5 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/admission-controller/horizontalpodautoscaler.yaml @@ -0,0 +1,28 @@ +{{- if .Values.admissionController.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "kyverno.admission-controller.name" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "kyverno.admission-controller.name" . }} + minReplicas: {{ .Values.admissionController.autoscaling.minReplicas }} + maxReplicas: {{ .Values.admissionController.autoscaling.maxReplicas }} + metrics: + - resource: + name: cpu + target: + averageUtilization: {{ .Values.admissionController.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + type: Resource + {{- with .Values.admissionController.autoscaling.behavior }} + behavior: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} + targetCPUUtilizationPercentage: {{ .Values.admissionController.autoscaling.targetCPUUtilizationPercentage }} +{{- end }} diff --git a/k3-kyverno-test/kyverno/templates/admission-controller/networkpolicy.yaml b/k3-kyverno-test/kyverno/templates/admission-controller/networkpolicy.yaml new file mode 100644 index 0000000..67219e1 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/admission-controller/networkpolicy.yaml @@ -0,0 +1,31 @@ +{{- if .Values.admissionController.networkPolicy.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "kyverno.admission-controller.name" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }} + policyTypes: + - Ingress + {{- if .Values.admissionController.networkPolicy.ingressFrom }} + ingress: + - from: + {{- toYaml .Values.admissionController.networkPolicy.ingressFrom | nindent 8 }} + ports: + - protocol: TCP + port: 9443 # webhook access + # Allow prometheus scrapes for metrics + {{- if .Values.admissionController.metricsService.create }} + - protocol: TCP + port: {{ .Values.admissionController.metricsService.port }} + {{- end }} + {{- else }} + ingress: + - {} + {{- end }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/admission-controller/poddisruptionbudget.yaml b/k3-kyverno-test/kyverno/templates/admission-controller/poddisruptionbudget.yaml new file mode 100644 index 0000000..d1bfbeb --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/admission-controller/poddisruptionbudget.yaml @@ -0,0 +1,14 @@ +{{- if or .Values.admissionController.podDisruptionBudget.enabled (gt (int .Values.admissionController.replicas) 1) -}} +apiVersion: {{ template "kyverno.pdb.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ template "kyverno.admission-controller.name" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +spec: + {{- include "kyverno.pdb.spec" .Values.admissionController.podDisruptionBudget | nindent 2 }} + selector: + matchLabels: + {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/admission-controller/prioritylevelconfiguration.yaml b/k3-kyverno-test/kyverno/templates/admission-controller/prioritylevelconfiguration.yaml new file mode 100644 index 0000000..c248da9 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/admission-controller/prioritylevelconfiguration.yaml @@ -0,0 +1,12 @@ +{{- if .Values.admissionController.apiPriorityAndFairness }} +apiVersion: {{ template "kyverno.flowcontrol.apiVersion" . }} +kind: PriorityLevelConfiguration +metadata: + name: {{ template "kyverno.admission-controller.name" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +{{- with .Values.admissionController.priorityLevelConfigurationSpec }} +spec: + {{- tpl (toYaml .) $ | nindent 2 }} +{{- end }} +{{- end }} diff --git a/k3-kyverno-test/kyverno/templates/admission-controller/role.yaml b/k3-kyverno-test/kyverno/templates/admission-controller/role.yaml new file mode 100644 index 0000000..c24a6ea --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/admission-controller/role.yaml @@ -0,0 +1,95 @@ +{{- if .Values.admissionController.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "kyverno.admission-controller.roleName" . }} + namespace: {{ template "kyverno.namespace" . }} + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + finalizers: + - kyverno.io/webhooks + - kyverno.io/exceptionwebhooks + - kyverno.io/globalcontextwebhooks + {{- end }} + {{- end }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +rules: + - apiGroups: + - '' + resources: + - secrets + - serviceaccounts + verbs: + - get + - list + - watch + - patch + - create + - update + - delete + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + resourceNames: + - {{ include "kyverno.config.configMapName" . }} + - {{ include "kyverno.config.metricsConfigMapName" . }} + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - patch + - update + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + resourceNames: + - {{ template "kyverno.admission-controller.roleName" . }} + - {{ template "kyverno.admission-controller.roleName" . }}:temporary + verbs: + - get + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + {{- end }} + {{- end }} + # Allow update of Kyverno deployment annotations + - apiGroups: + - apps + resources: + - deployments + {{- if .Values.webhooksCleanup.enabled }} + {{- if not .Values.templating.enabled }} + - deployments/scale + {{- end }} + {{- end }} + verbs: + - get + - list + - watch + {{- if .Values.webhooksCleanup.enabled }} + {{- if not .Values.templating.enabled }} + - patch + - update + {{- end }} + {{- end }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/admission-controller/rolebinding.yaml b/k3-kyverno-test/kyverno/templates/admission-controller/rolebinding.yaml new file mode 100644 index 0000000..e54046c --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/admission-controller/rolebinding.yaml @@ -0,0 +1,25 @@ +{{- if .Values.admissionController.rbac.create -}} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.admission-controller.roleName" . }} + namespace: {{ template "kyverno.namespace" . }} + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + finalizers: + - kyverno.io/webhooks + - kyverno.io/exceptionwebhooks + - kyverno.io/globalcontextwebhooks + {{- end }} + {{- end }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "kyverno.admission-controller.roleName" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kyverno.admission-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/admission-controller/secret.yaml b/k3-kyverno-test/kyverno/templates/admission-controller/secret.yaml new file mode 100644 index 0000000..1c6b718 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/admission-controller/secret.yaml @@ -0,0 +1,30 @@ +{{- if .Values.admissionController.createSelfSignedCert -}} +{{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}} +{{- $svcName := (printf "%s.%s.svc" (include "kyverno.admission-controller.serviceName" .) (include "kyverno.namespace" .)) -}} +{{- $cert := genSignedCert $svcName nil (list $svcName) 1024 $ca -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.key: {{ $ca.Key | b64enc }} + tls.crt: {{ $ca.Cert | b64enc }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} + annotations: + self-signed-cert: "true" +type: kubernetes.io/tls +data: + tls.key: {{ $cert.Key | b64enc }} + tls.crt: {{ $cert.Cert | b64enc }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/admission-controller/service.yaml b/k3-kyverno-test/kyverno/templates/admission-controller/service.yaml new file mode 100644 index 0000000..4e3f8d5 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/admission-controller/service.yaml @@ -0,0 +1,71 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.admission-controller.serviceName" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} + {{- with .Values.admissionController.service.annotations }} + annotations: {{ tpl (toYaml .) $ | nindent 4 }} + {{- end }} +spec: + ports: + - port: {{ .Values.admissionController.service.port }} + targetPort: https + protocol: TCP + name: https + appProtocol: https + {{- if and (eq .Values.admissionController.service.type "NodePort") (not (empty .Values.admissionController.service.nodePort)) }} + nodePort: {{ .Values.admissionController.service.nodePort }} + {{- end }} + selector: + {{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }} + type: {{ .Values.admissionController.service.type }} +{{- if .Values.admissionController.metricsService.create }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.admission-controller.serviceName" . }}-metrics + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} + {{- with .Values.admissionController.metricsService.annotations }} + annotations: {{ tpl (toYaml .) $ | nindent 4 }} + {{- end }} +spec: + ports: + - port: {{ .Values.admissionController.metricsService.port }} + targetPort: {{ .Values.admissionController.metering.port }} + protocol: TCP + name: metrics-port + {{- if and (eq .Values.admissionController.metricsService.type "NodePort") (not (empty .Values.admissionController.metricsService.nodePort)) }} + nodePort: {{ .Values.admissionController.metricsService.nodePort }} + {{- end }} + selector: + {{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }} + type: {{ .Values.admissionController.metricsService.type }} +{{- end -}} +{{- if .Values.admissionController.profiling.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.admission-controller.serviceName" . }}-profiling + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +spec: + ports: + - port: {{ .Values.admissionController.profiling.port }} + targetPort: {{ .Values.admissionController.profiling.port }} + protocol: TCP + name: profiling-port + {{- if and (eq .Values.admissionController.profiling.serviceType "NodePort") (not (empty .Values.admissionController.profiling.nodePort)) }} + nodePort: {{ .Values.admissionController.profiling.nodePort }} + {{- end }} + selector: + {{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }} + type: {{ .Values.admissionController.profiling.serviceType }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/admission-controller/serviceaccount.yaml b/k3-kyverno-test/kyverno/templates/admission-controller/serviceaccount.yaml new file mode 100644 index 0000000..e6fe87c --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/admission-controller/serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if .Values.admissionController.rbac.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kyverno.admission-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + finalizers: + - kyverno.io/webhooks + - kyverno.io/exceptionwebhooks + - kyverno.io/globalcontextwebhooks + {{- end }} + {{- end }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} + {{- with .Values.admissionController.rbac.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/k3-kyverno-test/kyverno/templates/admission-controller/servicemonitor.yaml b/k3-kyverno-test/kyverno/templates/admission-controller/servicemonitor.yaml new file mode 100644 index 0000000..d97ab2f --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/admission-controller/servicemonitor.yaml @@ -0,0 +1,40 @@ +{{- if .Values.admissionController.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "kyverno.admission-controller.name" . }} + {{- if .Values.admissionController.serviceMonitor.namespace }} + namespace: {{ .Values.admissionController.serviceMonitor.namespace }} + {{- else }} + namespace: {{ template "kyverno.namespace" . }} + {{- end }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} + {{- with .Values.admissionController.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }} + namespaceSelector: + matchNames: + - {{ template "kyverno.namespace" . }} + endpoints: + - port: metrics-port + interval: {{ .Values.admissionController.serviceMonitor.interval }} + scrapeTimeout: {{ .Values.admissionController.serviceMonitor.scrapeTimeout }} + {{- if .Values.admissionController.serviceMonitor.secure }} + scheme: https + tlsConfig: + {{- toYaml .Values.admissionController.serviceMonitor.tlsConfig | nindent 8 }} + {{- end }} + {{- with .Values.admissionController.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.admissionController.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/background-controller/_helpers.tpl b/k3-kyverno-test/kyverno/templates/background-controller/_helpers.tpl new file mode 100644 index 0000000..10aac22 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/background-controller/_helpers.tpl @@ -0,0 +1,44 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.background-controller.name" -}} +{{ template "kyverno.name" . }}-background-controller +{{- end -}} + +{{- define "kyverno.background-controller.labels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.labels.common" .) + (include "kyverno.background-controller.matchLabels" .) +) -}} +{{- end -}} + +{{- define "kyverno.background-controller.matchLabels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.matchLabels.common" .) + (include "kyverno.labels.component" "background-controller") +) -}} +{{- end -}} + +{{- define "kyverno.background-controller.image" -}} +{{- $imageRegistry := default (default .image.defaultRegistry .globalRegistry) .image.registry -}} +{{- if $imageRegistry -}} + {{ $imageRegistry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} +{{- else -}} + {{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} +{{- end -}} +{{- end -}} + +{{- define "kyverno.background-controller.roleName" -}} +{{ include "kyverno.fullname" . }}:background-controller +{{- end -}} + +{{- define "kyverno.background-controller.serviceAccountName" -}} +{{- if .Values.backgroundController.rbac.create -}} + {{ default (include "kyverno.background-controller.name" .) .Values.backgroundController.rbac.serviceAccount.name }} +{{- else -}} + {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.backgroundController.rbac.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{- define "kyverno.background-controller.caCertificatesConfigMapName" -}} +{{ printf "%s-ca-certificates" (include "kyverno.background-controller.name" .) }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/background-controller/clusterrole.yaml b/k3-kyverno-test/kyverno/templates/background-controller/clusterrole.yaml new file mode 100644 index 0000000..2b2ade2 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/background-controller/clusterrole.yaml @@ -0,0 +1,100 @@ +{{- if .Values.backgroundController.enabled -}} +{{- if .Values.backgroundController.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.background-controller.roleName" . }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + - matchLabels: + {{- include "kyverno.background-controller.matchLabels" . | nindent 8 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.background-controller.roleName" . }}:core + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} +rules: + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - kyverno.io + resources: + - policies + - policies/status + - clusterpolicies + - clusterpolicies/status + - policyexceptions + - updaterequests + - updaterequests/status + - globalcontextentries + - globalcontextentries/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - '' + resources: + - namespaces + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - '' + - events.k8s.io + resources: + - events + verbs: + - create + - get + - list + - patch + - update + - watch + - apiGroups: + - reports.kyverno.io + resources: + - ephemeralreports + - clusterephemeralreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection +{{- with .Values.backgroundController.rbac.coreClusterRole.extraResources }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- with .Values.backgroundController.rbac.clusterRole.extraResources }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.background-controller.roleName" $ }}:additional + labels: + {{- include "kyverno.background-controller.labels" $ | nindent 4 }} +rules: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/k3-kyverno-test/kyverno/templates/background-controller/clusterrolebinding.yaml b/k3-kyverno-test/kyverno/templates/background-controller/clusterrolebinding.yaml new file mode 100644 index 0000000..6e80730 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/background-controller/clusterrolebinding.yaml @@ -0,0 +1,35 @@ +{{- if .Values.backgroundController.enabled -}} +{{- if .Values.backgroundController.rbac.create -}} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.background-controller.roleName" . }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kyverno.background-controller.roleName" . }} +subjects: +- kind: ServiceAccount + name: {{ template "kyverno.background-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- if .Values.backgroundController.rbac.createViewRoleBinding }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.background-controller.roleName" . }}:view + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.backgroundController.rbac.viewRoleName }} +subjects: +- kind: ServiceAccount + name: {{ template "kyverno.background-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/background-controller/configmap.yaml b/k3-kyverno-test/kyverno/templates/background-controller/configmap.yaml new file mode 100644 index 0000000..6979ca6 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/background-controller/configmap.yaml @@ -0,0 +1,12 @@ +{{- if or .Values.backgroundController.caCertificates.data .Values.global.caCertificates.data -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kyverno.background-controller.caCertificatesConfigMapName" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +data: + ca-certificates: | + {{ .Values.backgroundController.caCertificates.data | default .Values.global.caCertificates.data | indent 4 | trim }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/background-controller/deployment.yaml b/k3-kyverno-test/kyverno/templates/background-controller/deployment.yaml new file mode 100644 index 0000000..e3c9979 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/background-controller/deployment.yaml @@ -0,0 +1,197 @@ +{{- if .Values.backgroundController.enabled -}} +{{- if not .Values.templating.debug -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "kyverno.background-controller.name" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} + {{- with .Values.backgroundController.annotations }} + annotations: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} +spec: + replicas: {{ template "kyverno.deployment.replicas" .Values.backgroundController.replicas }} + revisionHistoryLimit: {{ .Values.backgroundController.revisionHistoryLimit }} + {{- with .Values.backgroundController.updateStrategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- include "kyverno.background-controller.matchLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "kyverno.background-controller.labels" . | nindent 8 }} + {{- with .Values.backgroundController.podLabels }} + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.backgroundController.podAnnotations }} + annotations: {{ tpl (toYaml .) $ | nindent 8 }} + {{- end }} + spec: + {{- with .Values.backgroundController.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.backgroundController.podSecurityContext }} + securityContext: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.backgroundController.nodeSelector | default .Values.global.nodeSelector }} + nodeSelector: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.backgroundController.tolerations | default .Values.global.tolerations}} + tolerations: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.backgroundController.topologySpreadConstraints }} + topologySpreadConstraints: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.backgroundController.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} + {{- with .Values.backgroundController.hostNetwork }} + hostNetwork: {{ . }} + {{- end }} + {{- with .Values.backgroundController.dnsPolicy }} + dnsPolicy: {{ . }} + {{- end }} + {{- with .Values.backgroundController.dnsConfig }} + dnsConfig: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- if or .Values.backgroundController.antiAffinity.enabled .Values.backgroundController.podAffinity .Values.backgroundController.nodeAffinity }} + affinity: + {{- if .Values.backgroundController.antiAffinity.enabled }} + {{- with .Values.backgroundController.podAntiAffinity }} + podAntiAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- end }} + {{- with .Values.backgroundController.podAffinity }} + podAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.backgroundController.nodeAffinity }} + nodeAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{ template "kyverno.background-controller.serviceAccountName" . }} + containers: + - name: controller + image: {{ include "kyverno.background-controller.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.backgroundController.image "defaultTag" .Chart.AppVersion) | quote }} + imagePullPolicy: {{ .Values.backgroundController.image.pullPolicy }} + ports: + - containerPort: {{ .Values.backgroundController.server.port }} + name: https + protocol: TCP + - containerPort: {{ .Values.backgroundController.metering.port }} + name: metrics + protocol: TCP + {{ if .Values.backgroundController.profiling.enabled }} + - containerPort: {{ .Values.backgroundController.profiling.port }} + name: profiling-port + protocol: TCP + {{- end }} + args: + {{- if .Values.backgroundController.tracing.enabled }} + - --enableTracing + - --tracingAddress={{ .Values.backgroundController.tracing.address }} + - --tracingPort={{ .Values.backgroundController.tracing.port }} + {{- with .Values.backgroundController.tracing.creds }} + - --tracingCreds={{ . }} + {{- end }} + {{- end }} + - --disableMetrics={{ .Values.backgroundController.metering.disabled }} + {{- if not .Values.backgroundController.metering.disabled }} + - --otelConfig={{ .Values.backgroundController.metering.config }} + - --metricsPort={{ .Values.backgroundController.metering.port }} + {{- with .Values.backgroundController.metering.collector }} + - --otelCollector={{ . }} + {{- end }} + {{- with .Values.backgroundController.metering.creds }} + - --transportCreds={{ . }} + {{- end }} + {{- end }} + {{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }} + - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }} + {{- end }} + - --resyncPeriod={{ .Values.backgroundController.resyncPeriod | default .Values.global.resyncPeriod }} + {{- include "kyverno.features.flags" (pick (mergeOverwrite (deepCopy .Values.features) .Values.backgroundController.featuresOverride) + "reporting" + "configMapCaching" + "deferredLoading" + "globalContext" + "logging" + "omitEvents" + "policyExceptions" + ) | nindent 12 }} + {{- range $key, $value := .Values.backgroundController.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} + {{ if .Values.backgroundController.profiling.enabled }} + - --profile=true + - --profilePort={{ .Values.backgroundController.profiling.port }} + {{- end }} + env: + - name: KYVERNO_SERVICEACCOUNT_NAME + value: {{ template "kyverno.background-controller.serviceAccountName" . }} + - name: KYVERNO_DEPLOYMENT + value: {{ template "kyverno.background-controller.name" . }} + - name: INIT_CONFIG + value: {{ template "kyverno.config.configMapName" . }} + - name: METRICS_CONFIG + value: {{ template "kyverno.config.metricsConfigMapName" . }} + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- with (concat .Values.global.extraEnvVars .Values.backgroundController.extraEnvVars) }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.backgroundController.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .Values.backgroundController.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if or .Values.backgroundController.caCertificates.data .Values.global.caCertificates.data .Values.backgroundController.caCertificates.volume .Values.global.caCertificates.volume }} + volumeMounts: + - name: ca-certificates + mountPath: /etc/ssl/certs/ca-certificates.crt + {{- if or .Values.backgroundController.caCertificates.data .Values.global.caCertificates.data }} + subPath: ca-certificates.crt + {{- end }} + {{- end }} + {{- if or .Values.backgroundController.caCertificates.data .Values.global.caCertificates.data .Values.backgroundController.caCertificates.volume .Values.global.caCertificates.volume }} + volumes: + {{- if or .Values.backgroundController.caCertificates.data .Values.global.caCertificates.data }} + - name: ca-certificates + configMap: + name: {{ include "kyverno.background-controller.caCertificatesConfigMapName" . }} + items: + - key: ca-certificates + path: ca-certificates.crt + {{- else if or .Values.backgroundController.caCertificates.volume .Values.global.caCertificates.volume }} + {{- with (.Values.backgroundController.caCertificates.volume | default .Values.global.caCertificates.volume) }} + - name: ca-certificates + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/background-controller/networkpolicy.yaml b/k3-kyverno-test/kyverno/templates/background-controller/networkpolicy.yaml new file mode 100644 index 0000000..660bbfd --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/background-controller/networkpolicy.yaml @@ -0,0 +1,30 @@ +{{- if .Values.backgroundController.enabled -}} +{{- if .Values.backgroundController.networkPolicy.enabled -}} +{{- if .Values.backgroundController.metricsService.create -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "kyverno.background-controller.name" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "kyverno.background-controller.matchLabels" . | nindent 6 }} + policyTypes: + - Ingress + {{- if .Values.backgroundController.networkPolicy.ingressFrom }} + ingress: + - from: + {{- toYaml .Values.backgroundController.networkPolicy.ingressFrom | nindent 8 }} + ports: + - protocol: TCP + port: {{ .Values.backgroundController.metricsService.port }} + {{- else }} + ingress: + - {} + {{- end }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/background-controller/poddisruptionbudget.yaml b/k3-kyverno-test/kyverno/templates/background-controller/poddisruptionbudget.yaml new file mode 100644 index 0000000..201f7cb --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/background-controller/poddisruptionbudget.yaml @@ -0,0 +1,16 @@ +{{- if .Values.backgroundController.enabled -}} +{{- if or .Values.backgroundController.podDisruptionBudget.enabled (gt (int .Values.backgroundController.replicas) 1) -}} +apiVersion: {{ template "kyverno.pdb.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ template "kyverno.background-controller.name" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} +spec: + {{- include "kyverno.pdb.spec" .Values.backgroundController.podDisruptionBudget | nindent 2 }} + selector: + matchLabels: + {{- include "kyverno.background-controller.matchLabels" . | nindent 6 }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/background-controller/role.yaml b/k3-kyverno-test/kyverno/templates/background-controller/role.yaml new file mode 100644 index 0000000..c18d118 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/background-controller/role.yaml @@ -0,0 +1,48 @@ +{{- if .Values.backgroundController.enabled -}} +{{- if .Values.backgroundController.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "kyverno.background-controller.roleName" . }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} + namespace: {{ template "kyverno.namespace" . }} +rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + resourceNames: + - {{ include "kyverno.config.configMapName" . }} + - {{ include "kyverno.config.metricsConfigMapName" . }} + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - delete + - get + - patch + - update + resourceNames: + - kyverno-background-controller + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/background-controller/rolebinding.yaml b/k3-kyverno-test/kyverno/templates/background-controller/rolebinding.yaml new file mode 100644 index 0000000..1eef40c --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/background-controller/rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.backgroundController.enabled -}} +{{- if .Values.backgroundController.rbac.create -}} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.background-controller.roleName" . }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} + namespace: {{ template "kyverno.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "kyverno.background-controller.roleName" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kyverno.background-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/background-controller/service.yaml b/k3-kyverno-test/kyverno/templates/background-controller/service.yaml new file mode 100644 index 0000000..876f228 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/background-controller/service.yaml @@ -0,0 +1,50 @@ +{{- if .Values.backgroundController.enabled -}} +{{- if .Values.backgroundController.metricsService.create -}} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.background-controller.name" . }}-metrics + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} + {{- with .Values.backgroundController.metricsService.annotations }} + annotations: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} +spec: + ports: + - port: {{ .Values.backgroundController.metricsService.port }} + targetPort: {{ .Values.backgroundController.metering.port }} + protocol: TCP + name: metrics-port + {{- if and (eq .Values.backgroundController.metricsService.type "NodePort") (not (empty .Values.backgroundController.metricsService.nodePort)) }} + nodePort: {{ .Values.backgroundController.metricsService.nodePort }} + {{- end }} + selector: + {{- include "kyverno.background-controller.matchLabels" . | nindent 4 }} + type: {{ .Values.backgroundController.metricsService.type }} +{{- end -}} +{{- end -}} +{{- if .Values.backgroundController.profiling.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.background-controller.name" . }}-profiling + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} +spec: + ports: + - port: {{ .Values.backgroundController.profiling.port }} + targetPort: {{ .Values.backgroundController.profiling.port }} + protocol: TCP + name: profiling-port + {{- if and (eq .Values.backgroundController.profiling.serviceType "NodePort") (not (empty .Values.backgroundController.profiling.nodePort)) }} + nodePort: {{ .Values.backgroundController.profiling.nodePort }} + {{- end }} + selector: + {{- include "kyverno.background-controller.matchLabels" . | nindent 4 }} + type: {{ .Values.backgroundController.profiling.serviceType }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/background-controller/serviceaccount.yaml b/k3-kyverno-test/kyverno/templates/background-controller/serviceaccount.yaml new file mode 100644 index 0000000..b291b7e --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/background-controller/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.backgroundController.enabled -}} +{{- if .Values.backgroundController.rbac.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kyverno.background-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} + {{- with .Values.backgroundController.rbac.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/background-controller/servicemonitor.yaml b/k3-kyverno-test/kyverno/templates/background-controller/servicemonitor.yaml new file mode 100644 index 0000000..67c38a2 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/background-controller/servicemonitor.yaml @@ -0,0 +1,42 @@ +{{- if .Values.backgroundController.enabled -}} +{{- if .Values.backgroundController.serviceMonitor.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "kyverno.background-controller.name" . }} + {{- if .Values.backgroundController.serviceMonitor.namespace }} + namespace: {{ .Values.backgroundController.serviceMonitor.namespace }} + {{- else }} + namespace: {{ template "kyverno.namespace" . }} + {{- end }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} + {{- with .Values.backgroundController.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "kyverno.background-controller.matchLabels" . | nindent 6 }} + namespaceSelector: + matchNames: + - {{ template "kyverno.namespace" . }} + endpoints: + - port: metrics-port + interval: {{ .Values.backgroundController.serviceMonitor.interval }} + scrapeTimeout: {{ .Values.backgroundController.serviceMonitor.scrapeTimeout }} + {{- if .Values.backgroundController.serviceMonitor.secure }} + scheme: https + tlsConfig: + {{- toYaml .Values.backgroundController.serviceMonitor.tlsConfig | nindent 8 }} + {{- end }} + {{- with .Values.backgroundController.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.backgroundController.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/cleanup-controller/_helpers.tpl b/k3-kyverno-test/kyverno/templates/cleanup-controller/_helpers.tpl new file mode 100644 index 0000000..1804291 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/cleanup-controller/_helpers.tpl @@ -0,0 +1,40 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.cleanup-controller.name" -}} +{{ template "kyverno.name" . }}-cleanup-controller +{{- end -}} + +{{- define "kyverno.cleanup-controller.labels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.labels.common" .) + (include "kyverno.cleanup-controller.matchLabels" .) +) -}} +{{- end -}} + +{{- define "kyverno.cleanup-controller.matchLabels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.matchLabels.common" .) + (include "kyverno.labels.component" "cleanup-controller") +) -}} +{{- end -}} + +{{- define "kyverno.cleanup-controller.image" -}} +{{- $imageRegistry := default (default .image.defaultRegistry .globalRegistry) .image.registry -}} +{{- if $imageRegistry -}} + {{ $imageRegistry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} +{{- else -}} + {{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} +{{- end -}} +{{- end -}} + +{{- define "kyverno.cleanup-controller.roleName" -}} +{{ include "kyverno.fullname" . }}:cleanup-controller +{{- end -}} + +{{- define "kyverno.cleanup-controller.serviceAccountName" -}} +{{- if .Values.cleanupController.rbac.create -}} + {{ default (include "kyverno.cleanup-controller.name" .) .Values.cleanupController.rbac.serviceAccount.name }} +{{- else -}} + {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.cleanupController.rbac.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/cleanup-controller/clusterrole.yaml b/k3-kyverno-test/kyverno/templates/cleanup-controller/clusterrole.yaml new file mode 100644 index 0000000..8f1dd0c --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/cleanup-controller/clusterrole.yaml @@ -0,0 +1,144 @@ +{{- if .Values.cleanupController.enabled -}} +{{- if .Values.cleanupController.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.cleanup-controller.roleName" . }} + labels: + {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.kyverno.io/aggregate-to-cleanup-controller: "true" + - matchLabels: + {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 8 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.cleanup-controller.roleName" . }}:core + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + finalizers: + - kyverno.io/policywebhooks + - kyverno.io/ttlwebhooks + {{- end }} + {{- end }} + labels: + {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} +rules: + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - '' + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - kyverno.io + resources: + - clustercleanuppolicies + - cleanuppolicies + verbs: + - list + - watch + - apiGroups: + - kyverno.io + resources: + - globalcontextentries + - globalcontextentries/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - kyverno.io + resources: + - clustercleanuppolicies/status + - cleanuppolicies/status + verbs: + - update + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - '' + - events.k8s.io + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + resourceNames: + - {{ template "kyverno.cleanup-controller.roleName" . }} + - {{ template "kyverno.cleanup-controller.roleName" . }}:core + - {{ template "kyverno.cleanup-controller.roleName" . }}:temporary + verbs: + - get + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + verbs: + - create + - list + {{- end }} + {{- end }} +{{- with .Values.cleanupController.rbac.clusterRole.extraResources }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.cleanup-controller.roleName" $ }}:additional + labels: + {{- include "kyverno.cleanup-controller.labels" $ | nindent 4 }} +rules: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/k3-kyverno-test/kyverno/templates/cleanup-controller/clusterrolebinding.yaml b/k3-kyverno-test/kyverno/templates/cleanup-controller/clusterrolebinding.yaml new file mode 100644 index 0000000..46d2ffe --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/cleanup-controller/clusterrolebinding.yaml @@ -0,0 +1,18 @@ +{{- if .Values.cleanupController.enabled -}} +{{- if .Values.cleanupController.rbac.create -}} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.cleanup-controller.roleName" . }} + labels: + {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kyverno.cleanup-controller.roleName" . }} +subjects: +- kind: ServiceAccount + name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/cleanup-controller/deployment.yaml b/k3-kyverno-test/kyverno/templates/cleanup-controller/deployment.yaml new file mode 100644 index 0000000..3b81a62 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/cleanup-controller/deployment.yaml @@ -0,0 +1,200 @@ +{{- if .Values.cleanupController.enabled -}} +{{- if not .Values.templating.debug -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "kyverno.cleanup-controller.name" . }} + namespace: {{ template "kyverno.namespace" . }} + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + finalizers: + - kyverno.io/policywebhooks + - kyverno.io/ttlwebhooks + {{- end }} + {{- end }} + labels: + {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} + {{- with .Values.cleanupController.annotations }} + annotations: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} +spec: + replicas: {{ template "kyverno.deployment.replicas" .Values.cleanupController.replicas }} + revisionHistoryLimit: {{ .Values.cleanupController.revisionHistoryLimit }} + {{- with .Values.cleanupController.updateStrategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "kyverno.cleanup-controller.labels" . | nindent 8 }} + {{- with .Values.cleanupController.podLabels }} + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.cleanupController.podAnnotations }} + annotations: {{ tpl (toYaml .) $ | nindent 8 }} + {{- end }} + spec: + {{- with .Values.cleanupController.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.cleanupController.podSecurityContext }} + securityContext: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.cleanupController.nodeSelector | default .Values.global.nodeSelector }} + nodeSelector: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.cleanupController.tolerations | default .Values.global.tolerations}} + tolerations: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.cleanupController.topologySpreadConstraints }} + topologySpreadConstraints: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.cleanupController.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} + {{- with .Values.cleanupController.hostNetwork }} + hostNetwork: {{ . }} + {{- end }} + {{- with .Values.cleanupController.dnsPolicy }} + dnsPolicy: {{ . }} + {{- end }} + {{- with .Values.cleanupController.dnsConfig }} + dnsConfig: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- if or .Values.cleanupController.antiAffinity.enabled .Values.cleanupController.podAffinity .Values.cleanupController.nodeAffinity }} + affinity: + {{- if .Values.cleanupController.antiAffinity.enabled }} + {{- with .Values.cleanupController.podAntiAffinity }} + podAntiAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- end }} + {{- with .Values.cleanupController.podAffinity }} + podAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.cleanupController.nodeAffinity }} + nodeAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{ template "kyverno.cleanup-controller.serviceAccountName" . }} + containers: + - name: controller + image: {{ include "kyverno.cleanup-controller.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupController.image "defaultTag" .Chart.AppVersion) | quote }} + imagePullPolicy: {{ .Values.cleanupController.image.pullPolicy }} + ports: + - containerPort: {{ .Values.cleanupController.server.port }} + name: https + protocol: TCP + - containerPort: {{ .Values.cleanupController.metering.port }} + name: metrics + protocol: TCP + {{ if .Values.cleanupController.profiling.enabled }} + - containerPort: {{ .Values.cleanupController.profiling.port }} + name: profiling-port + protocol: TCP + {{- end }} + args: + - --caSecretName={{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca + - --tlsSecretName={{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair + - --servicePort={{ .Values.cleanupController.service.port }} + - --cleanupServerPort={{ .Values.cleanupController.server.port }} + - --webhookServerPort={{ .Values.cleanupController.webhookServer.port }} + - --resyncPeriod={{ .Values.cleanupController.resyncPeriod | default .Values.global.resyncPeriod }} + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + - --autoDeleteWebhooks + {{- end }} + {{- if .Values.cleanupController.tracing.enabled }} + - --enableTracing + - --tracingAddress={{ .Values.cleanupController.tracing.address }} + - --tracingPort={{ .Values.cleanupController.tracing.port }} + {{- with .Values.cleanupController.tracing.creds }} + - --tracingCreds={{ . }} + {{- end }} + {{- end }} + - --disableMetrics={{ .Values.cleanupController.metering.disabled }} + {{- if not .Values.cleanupController.metering.disabled }} + - --otelConfig={{ .Values.cleanupController.metering.config }} + - --metricsPort={{ .Values.cleanupController.metering.port }} + {{- with .Values.cleanupController.metering.collector }} + - --otelCollector={{ . }} + {{- end }} + {{- with .Values.cleanupController.metering.creds }} + - --transportCreds={{ . }} + {{- end }} + {{- end }} + {{- include "kyverno.features.flags" (pick (mergeOverwrite (deepCopy .Values.features) .Values.cleanupController.featuresOverride) + "deferredLoading" + "dumpPayload" + "globalContext" + "logging" + "ttlController" + "protectManagedResources" + ) | nindent 12 }} + {{- range $key, $value := .Values.cleanupController.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} + {{ if .Values.cleanupController.profiling.enabled }} + - --profile=true + - --profilePort={{ .Values.cleanupController.profiling.port }} + {{- end }} + env: + - name: KYVERNO_DEPLOYMENT + value: {{ template "kyverno.cleanup-controller.name" . }} + - name: INIT_CONFIG + value: {{ template "kyverno.config.configMapName" . }} + - name: METRICS_CONFIG + value: {{ template "kyverno.config.metricsConfigMapName" . }} + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KYVERNO_SERVICEACCOUNT_NAME + value: {{ template "kyverno.cleanup-controller.serviceAccountName" . }} + - name: KYVERNO_ROLE_NAME + value: {{ template "kyverno.cleanup-controller.roleName" . }} + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KYVERNO_SVC + value: {{ template "kyverno.cleanup-controller.name" . }} + {{- with (concat .Values.global.extraEnvVars .Values.cleanupController.extraEnvVars) }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.cleanupController.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .Values.cleanupController.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.cleanupController.startupProbe }} + startupProbe: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .Values.cleanupController.livenessProbe }} + livenessProbe: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .Values.cleanupController.readinessProbe }} + readinessProbe: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/cleanup-controller/networkpolicy.yaml b/k3-kyverno-test/kyverno/templates/cleanup-controller/networkpolicy.yaml new file mode 100644 index 0000000..e9e8da3 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/cleanup-controller/networkpolicy.yaml @@ -0,0 +1,33 @@ +{{- if .Values.cleanupController.enabled -}} +{{- if .Values.cleanupController.networkPolicy.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "kyverno.cleanup-controller.name" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 6 }} + policyTypes: + - Ingress + {{- if .Values.cleanupController.networkPolicy.ingressFrom }} + ingress: + - from: + {{- toYaml .Values.cleanupController.networkPolicy.ingressFrom | nindent 8 }} + ports: + - protocol: TCP + port: 9443 # webhook access + # Allow prometheus scrapes for metrics + {{- if .Values.cleanupController.metricsService.create }} + - protocol: TCP + port: {{ .Values.cleanupController.metricsService.port }} + {{- end }} + {{- else }} + ingress: + - {} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/cleanup-controller/poddisruptionbudget.yaml b/k3-kyverno-test/kyverno/templates/cleanup-controller/poddisruptionbudget.yaml new file mode 100644 index 0000000..b640ad3 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/cleanup-controller/poddisruptionbudget.yaml @@ -0,0 +1,16 @@ +{{- if .Values.cleanupController.enabled -}} +{{- if or .Values.cleanupController.podDisruptionBudget.enabled (gt (int .Values.cleanupController.replicas) 1) -}} +apiVersion: {{ template "kyverno.pdb.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ template "kyverno.cleanup-controller.name" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} +spec: + {{- include "kyverno.pdb.spec" .Values.cleanupController.podDisruptionBudget | nindent 2 }} + selector: + matchLabels: + {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 6 }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/cleanup-controller/role.yaml b/k3-kyverno-test/kyverno/templates/cleanup-controller/role.yaml new file mode 100644 index 0000000..7aebf84 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/cleanup-controller/role.yaml @@ -0,0 +1,119 @@ +{{- if .Values.cleanupController.enabled -}} +{{- if .Values.cleanupController.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "kyverno.cleanup-controller.roleName" . }} + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + finalizers: + - kyverno.io/policywebhooks + - kyverno.io/ttlwebhooks + {{- end }} + {{- end }} + labels: + {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} + namespace: {{ template "kyverno.namespace" . }} +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + - apiGroups: + - '' + resources: + - secrets + verbs: + - delete + - get + - list + - update + - watch + resourceNames: + - {{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca + - {{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + - apiGroups: + - '' + resources: + - serviceaccounts + verbs: + - delete + - get + - list + - update + - watch + resourceNames: + - {{ template "kyverno.cleanup-controller.serviceAccountName" . }} + {{- end }} + {{- end }} + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + resourceNames: + - {{ include "kyverno.config.configMapName" . }} + - {{ include "kyverno.config.metricsConfigMapName" . }} + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - delete + - get + - patch + - update + resourceNames: + - kyverno-cleanup-controller + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + resourceNames: + - {{ template "kyverno.cleanup-controller.roleName" . }} + - {{ template "kyverno.cleanup-controller.roleName" . }}:temporary + verbs: + - get + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + {{- end }} + {{- end }} + - apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + - patch + - update + {{- end }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/cleanup-controller/rolebinding.yaml b/k3-kyverno-test/kyverno/templates/cleanup-controller/rolebinding.yaml new file mode 100644 index 0000000..8ccec90 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/cleanup-controller/rolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.cleanupController.enabled -}} +{{- if .Values.cleanupController.rbac.create -}} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.cleanup-controller.roleName" . }} + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + finalizers: + - kyverno.io/policywebhooks + - kyverno.io/ttlwebhooks + {{- end }} + {{- end }} + labels: + {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} + namespace: {{ template "kyverno.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "kyverno.cleanup-controller.roleName" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/cleanup-controller/secret.yaml b/k3-kyverno-test/kyverno/templates/cleanup-controller/secret.yaml new file mode 100644 index 0000000..d709e59 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/cleanup-controller/secret.yaml @@ -0,0 +1,32 @@ +{{- if .Values.cleanupController.enabled -}} +{{- if .Values.cleanupController.createSelfSignedCert -}} +{{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}} +{{- $svcName := (printf "%s.%s.svc" (include "kyverno.cleanup-controller.name" .) (include "kyverno.namespace" .)) -}} +{{- $cert := genSignedCert $svcName nil (list $svcName) 1024 $ca -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.key: {{ $ca.Key | b64enc }} + tls.crt: {{ $ca.Cert | b64enc }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} + annotations: + self-signed-cert: "true" +type: kubernetes.io/tls +data: + tls.key: {{ $cert.Key | b64enc }} + tls.crt: {{ $cert.Cert | b64enc }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/cleanup-controller/service.yaml b/k3-kyverno-test/kyverno/templates/cleanup-controller/service.yaml new file mode 100644 index 0000000..5ae061e --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/cleanup-controller/service.yaml @@ -0,0 +1,75 @@ +{{- if .Values.cleanupController.enabled -}} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.cleanup-controller.name" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} + {{- with .Values.cleanupController.service.annotations }} + annotations: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} +spec: + ports: + - port: {{ .Values.cleanupController.service.port }} + targetPort: https + protocol: TCP + name: https + appProtocol: https + {{- if and (eq .Values.cleanupController.service.type "NodePort") (not (empty .Values.cleanupController.service.nodePort)) }} + nodePort: {{ .Values.cleanupController.service.nodePort }} + {{- end }} + selector: + {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 4 }} + type: {{ .Values.cleanupController.service.type }} +{{- if .Values.cleanupController.metricsService.create }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.cleanup-controller.name" . }}-metrics + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} + {{- with .Values.cleanupController.metricsService.annotations }} + annotations: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} +spec: + ports: + - port: {{ .Values.cleanupController.metricsService.port }} + targetPort: {{ .Values.cleanupController.metering.port }} + protocol: TCP + name: metrics-port + {{- if and (eq .Values.cleanupController.metricsService.type "NodePort") (not (empty .Values.cleanupController.metricsService.nodePort)) }} + nodePort: {{ .Values.cleanupController.metricsService.nodePort }} + {{- end }} + selector: + {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 4 }} + type: {{ .Values.cleanupController.metricsService.type }} +{{- end -}} +{{- if .Values.cleanupController.profiling.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.cleanup-controller.name" . }}-profiling + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} +spec: + ports: + - port: {{ .Values.cleanupController.profiling.port }} + targetPort: {{ .Values.cleanupController.profiling.port }} + protocol: TCP + name: profiling-port + {{- if and (eq .Values.cleanupController.profiling.serviceType "NodePort") (not (empty .Values.cleanupController.profiling.nodePort)) }} + nodePort: {{ .Values.cleanupController.profiling.nodePort }} + {{- end }} + selector: + {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 4 }} + type: {{ .Values.cleanupController.profiling.serviceType }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/cleanup-controller/serviceaccount.yaml b/k3-kyverno-test/kyverno/templates/cleanup-controller/serviceaccount.yaml new file mode 100644 index 0000000..d069870 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/cleanup-controller/serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.cleanupController.enabled -}} +{{- if .Values.cleanupController.rbac.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} + {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} + {{- if not .Values.templating.enabled }} + finalizers: + - kyverno.io/policywebhooks + - kyverno.io/ttlwebhooks + {{- end }} + {{- end }} + labels: + {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} + {{- with .Values.cleanupController.rbac.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/cleanup-controller/servicemonitor.yaml b/k3-kyverno-test/kyverno/templates/cleanup-controller/servicemonitor.yaml new file mode 100644 index 0000000..e9f50e6 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/cleanup-controller/servicemonitor.yaml @@ -0,0 +1,42 @@ +{{- if .Values.cleanupController.enabled -}} +{{- if .Values.cleanupController.serviceMonitor.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "kyverno.cleanup-controller.name" . }} + {{- if .Values.cleanupController.serviceMonitor.namespace }} + namespace: {{ .Values.cleanupController.serviceMonitor.namespace }} + {{- else }} + namespace: {{ template "kyverno.namespace" . }} + {{- end }} + labels: + {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} + {{- with .Values.cleanupController.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 6 }} + namespaceSelector: + matchNames: + - {{ template "kyverno.namespace" . }} + endpoints: + - port: metrics-port + interval: {{ .Values.cleanupController.serviceMonitor.interval }} + scrapeTimeout: {{ .Values.cleanupController.serviceMonitor.scrapeTimeout }} + {{- if .Values.cleanupController.serviceMonitor.secure }} + scheme: https + tlsConfig: + {{- toYaml .Values.cleanupController.serviceMonitor.tlsConfig | nindent 8 }} + {{- end }} + {{- with .Values.cleanupController.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.cleanupController.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/config/_helpers.tpl b/k3-kyverno-test/kyverno/templates/config/_helpers.tpl new file mode 100644 index 0000000..68dd801 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/config/_helpers.tpl @@ -0,0 +1,84 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.config.configMapName" -}} +{{- if .Values.config.create -}} + {{ default (include "kyverno.fullname" .) .Values.config.name }} +{{- else -}} + {{ required "A configmap name is required when `config.create` is set to `false`" .Values.config.name }} +{{- end -}} +{{- end -}} + +{{- define "kyverno.config.metricsConfigMapName" -}} +{{- if .Values.metricsConfig.create -}} + {{ default (printf "%s-metrics" (include "kyverno.fullname" .)) .Values.metricsConfig.name }} +{{- else -}} + {{ required "A configmap name is required when `metricsConfig.create` is set to `false`" .Values.metricsConfig.name }} +{{- end -}} +{{- end -}} + +{{- define "kyverno.config.labels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.labels.common" .) + (include "kyverno.config.matchLabels" .) +) -}} +{{- end -}} + +{{- define "kyverno.config.matchLabels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.matchLabels.common" .) + (include "kyverno.labels.component" "config") +) -}} +{{- end -}} + +{{- define "kyverno.config.resourceFilters" -}} +{{- $resourceFilters := .Values.config.resourceFilters -}} +{{- if .Values.config.excludeKyvernoNamespace -}} + {{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*/*,%s,*]" (include "kyverno.namespace" .)) -}} +{{- end -}} +{{- range $resourceExclude := .Values.config.resourceFiltersExclude -}} + {{- $resourceFilters = without $resourceFilters $resourceExclude -}} +{{- end -}} +{{- range $exclude := .Values.config.resourceFiltersExcludeNamespaces -}} + {{- range $filter := $resourceFilters -}} + {{- if (contains (printf ",%s," $exclude) $filter) -}} + {{- $resourceFilters = without $resourceFilters $filter -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- $resourceFilters = concat $resourceFilters .Values.config.resourceFiltersInclude -}} +{{- range $include := .Values.config.resourceFiltersIncludeNamespaces -}} + {{- $resourceFilters = append $resourceFilters (printf "[*/*,%s,*]" $include) -}} +{{- end -}} +{{- range $resourceFilter := $resourceFilters }} +{{ tpl $resourceFilter $ }} +{{- end -}} +{{- end -}} + +{{- define "kyverno.config.webhooks" -}} +{{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }} +{{- $webhooks := .Values.config.webhooks -}} +{{- if $webhooks | typeIs "slice" -}} + {{- $newWebhooks := dict -}} + {{- range $index, $webhook := $webhooks -}} + {{- if $webhook.namespaceSelector -}} + {{- $namespaceSelector := $webhook.namespaceSelector }} + {{- $matchExpressions := default (list) $namespaceSelector.matchExpressions }} + {{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }} + {{- $newWebhook := merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector) }} + {{- $newWebhooks = merge $newWebhooks (dict $webhook.name $newWebhook) }} + {{- end -}} + {{- end -}} + {{- $newWebhooks | toJson }} +{{- else -}} + {{- $webhook := $webhooks }} + {{- $namespaceSelector := default (dict) $webhook.namespaceSelector }} + {{- $matchExpressions := default (list) $namespaceSelector.matchExpressions }} + {{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }} + {{- $newWebhook := merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector) }} + {{- $newWebhook | toJson }} +{{- end -}} +{{- end -}} + +{{- define "kyverno.config.imagePullSecret" -}} +{{- printf "{\"auths\":{\"%s\":{\"auth\":\"%s\"}}}" .registry (printf "%s:%s" .username .password | b64enc) | b64enc }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/config/configmap.yaml b/k3-kyverno-test/kyverno/templates/config/configmap.yaml new file mode 100644 index 0000000..d10a74d --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/config/configmap.yaml @@ -0,0 +1,57 @@ +{{- if .Values.config.create -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "kyverno.config.configMapName" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.config.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if .Values.config.preserve }} + helm.sh/resource-policy: "keep" + {{- end }} +data: + enableDefaultRegistryMutation: {{ .Values.config.enableDefaultRegistryMutation | quote }} + {{- with .Values.config.defaultRegistry }} + defaultRegistry: {{ . | quote }} + {{- end }} + generateSuccessEvents: {{ .Values.config.generateSuccessEvents | quote }} + {{- with .Values.config.excludeGroups }} + excludeGroups: {{ join "," . | quote }} + {{- end -}} + {{- with .Values.config.excludeUsernames }} + excludeUsernames: {{ join "," . | quote }} + {{- end -}} + {{- with .Values.config.excludeRoles }} + excludeRoles: {{ join "," . | quote }} + {{- end -}} + {{- with .Values.config.excludeClusterRoles }} + excludeClusterRoles: {{ join "," . | quote }} + {{- end -}} + {{- if .Values.config.resourceFilters }} + resourceFilters: >- + {{- include "kyverno.config.resourceFilters" . | trim | nindent 4 }} + {{- end -}} + {{- with .Values.config.updateRequestThreshold }} + updateRequestThreshold: {{ . | quote }} + {{- end -}} + {{- if and .Values.config.webhooks .Values.config.excludeKyvernoNamespace }} + webhooks: {{ include "kyverno.config.webhooks" . | quote }} + {{- else if .Values.config.webhooks }} + webhooks: {{ .Values.config.webhooks | toJson | quote }} + {{- else if .Values.config.excludeKyvernoNamespace }} + webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["{{ include "kyverno.namespace" . }}"]}]}}]' + {{- end -}} + {{- with .Values.config.webhookAnnotations }} + webhookAnnotations: {{ toJson . | quote }} + {{- end }} + {{- with .Values.config.webhookLabels }} + webhookLabels: {{ toJson . | quote }} + {{- end }} + {{- with .Values.config.matchConditions }} + matchConditions: {{ toJson . | quote }} + {{- end }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/config/imagepullsecret.yaml b/k3-kyverno-test/kyverno/templates/config/imagepullsecret.yaml new file mode 100644 index 0000000..19ce98c --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/config/imagepullsecret.yaml @@ -0,0 +1,13 @@ +{{ range $name, $secret := .Values.imagePullSecrets }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $name }} + namespace: {{ template "kyverno.namespace" $ }} + labels: + {{- include "kyverno.config.labels" $ | nindent 4 }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ template "kyverno.config.imagePullSecret" $secret }} +{{ end }} diff --git a/k3-kyverno-test/kyverno/templates/config/metricsconfigmap.yaml b/k3-kyverno-test/kyverno/templates/config/metricsconfigmap.yaml new file mode 100644 index 0000000..3273946 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/config/metricsconfigmap.yaml @@ -0,0 +1,26 @@ +{{- if .Values.metricsConfig.create -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "kyverno.config.metricsConfigMapName" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.config.labels" . | nindent 4 }} + {{- with .Values.metricsConfig.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +data: + {{- with .Values.metricsConfig.namespaces }} + namespaces: {{ toJson . | quote }} + {{- end }} + {{- with .Values.metricsConfig.metricsRefreshInterval }} + metricsRefreshInterval: {{ . }} + {{- end }} + {{- with .Values.metricsConfig.metricsExposure }} + metricsExposure: {{ toJson . | quote }} + {{- end }} + {{- with .Values.metricsConfig.bucketBoundaries }} + bucketBoundaries: {{ join ", " . | quote }} + {{- end }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/hooks/_helpers.tpl b/k3-kyverno-test/kyverno/templates/hooks/_helpers.tpl new file mode 100644 index 0000000..edc290b --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/hooks/_helpers.tpl @@ -0,0 +1,15 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.hooks.labels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.labels.common" .) + (include "kyverno.hooks.matchLabels" .) +) -}} +{{- end -}} + +{{- define "kyverno.hooks.matchLabels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.matchLabels.common" .) + (include "kyverno.labels.component" "hooks") +) -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/hooks/post-delete-configmap.yaml b/k3-kyverno-test/kyverno/templates/hooks/post-delete-configmap.yaml new file mode 100644 index 0000000..93f0c33 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/hooks/post-delete-configmap.yaml @@ -0,0 +1,132 @@ +{{- if .Values.config.preserve -}} +{{- if not .Values.templating.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "kyverno.fullname" . }}:remove-configmap + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + helm.sh/hook-weight: "0" +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - list + - get + - delete +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.fullname" . }}:remove-configmap + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + helm.sh/hook-weight: "0" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "kyverno.fullname" . }}:remove-configmap +subjects: + - kind: ServiceAccount + name: {{ template "kyverno.fullname" . }}-remove-configmap + namespace: {{ template "kyverno.namespace" . }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kyverno.fullname" . }}-remove-configmap + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "0" +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "kyverno.fullname" . }}-remove-configmap + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + helm.sh/hook-weight: "10" +spec: + backoffLimit: 2 + template: + metadata: + {{- with .Values.webhooksCleanup.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.webhooksCleanup.podLabels }} + labels: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "kyverno.fullname" . }}-remove-configmap + {{- with .Values.webhooksCleanup.podSecurityContext }} + securityContext: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + restartPolicy: Never + {{- with .Values.webhooksCleanup.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + containers: + - name: kubectl + image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.webhooksCleanup.image "defaultTag" (default .Chart.AppVersion .Values.webhooksCleanup.image.tag))) | quote }} + imagePullPolicy: {{ .Values.webhooksCleanup.image.pullPolicy }} + command: + - /bin/bash + - '-c' + - |- + set -euo pipefail + kubectl delete cm --ignore-not-found -n {{ template "kyverno.namespace" . }} {{ template "kyverno.config.configMapName" . }} + {{- with .Values.webhooksCleanup.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.webhooksCleanup.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .Values.webhooksCleanup.tolerations | default .Values.global.tolerations }} + tolerations: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.webhooksCleanup.nodeSelector | default .Values.global.nodeSelector }} + nodeSelector: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- if or .Values.webhooksCleanup.podAntiAffinity .Values.webhooksCleanup.podAffinity .Values.webhooksCleanup.nodeAffinity }} + affinity: + {{- with .Values.webhooksCleanup.podAntiAffinity }} + podAntiAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.webhooksCleanup.podAffinity }} + podAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.webhooksCleanup.nodeAffinity }} + nodeAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/hooks/post-upgrade-clean-reports.yaml b/k3-kyverno-test/kyverno/templates/hooks/post-upgrade-clean-reports.yaml new file mode 100644 index 0000000..28fa2ef --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/hooks/post-upgrade-clean-reports.yaml @@ -0,0 +1,99 @@ +{{- if .Values.policyReportsCleanup.enabled -}} +{{- if not .Values.templating.enabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "kyverno.fullname" . }}-clean-reports + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed +spec: + backoffLimit: 2 + template: + metadata: + {{- with .Values.policyReportsCleanup.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.policyReportsCleanup.podLabels }} + labels: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "kyverno.admission-controller.serviceAccountName" . }} + {{- with .Values.policyReportsCleanup.podSecurityContext }} + securityContext: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: kubectl + image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.policyReportsCleanup.image "defaultTag" (default .Chart.AppVersion .Values.policyReportsCleanup.image.tag))) | quote }} + imagePullPolicy: {{ .Values.policyReportsCleanup.image.pullPolicy }} + command: + - /bin/bash + - -c + - | + set -euo pipefail + NAMESPACES=$(kubectl get namespaces --no-headers=true | awk '{print $1}') + + for ns in ${NAMESPACES[@]}; + do + COUNT=$(kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print $1}' | wc -l) + + if [ $COUNT -gt 0 ]; then + echo "deleting $COUNT policyreports in namespace $ns" + kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete -n $ns policyreports.wgpolicyk8s.io + else + echo "no policyreports in namespace $ns" + fi + done + + COUNT=$(kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | wc -l) + + if [ $COUNT -gt 0 ]; then + echo "deleting $COUNT clusterpolicyreports" + kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete clusterpolicyreports.wgpolicyk8s.io + else + echo "no clusterpolicyreports" + fi + {{- with .Values.policyReportsCleanup.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .Values.policyReportsCleanup.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.policyReportsCleanup.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.policyReportsCleanup.tolerations | default .Values.global.tolerations}} + tolerations: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.policyReportsCleanup.nodeSelector | default .Values.global.nodeSelector }} + nodeSelector: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- if or .Values.policyReportsCleanup.podAntiAffinity .Values.policyReportsCleanup.podAffinity .Values.policyReportsCleanup.nodeAffinity }} + affinity: + {{- with .Values.policyReportsCleanup.podAntiAffinity }} + podAntiAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.policyReportsCleanup.podAffinity }} + podAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.policyReportsCleanup.nodeAffinity }} + nodeAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml b/k3-kyverno-test/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml new file mode 100644 index 0000000..fd3f79d --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml @@ -0,0 +1,142 @@ +{{- if .Values.crds.migration.enabled -}} +{{- if not .Values.templating.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.fullname" . }}:migrate-resources + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + helm.sh/hook-weight: "100" +rules: + - apiGroups: + - kyverno.io + resources: + - '*' + verbs: + - get + - list + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions/status + verbs: + - update +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.fullname" . }}:migrate-resources + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + helm.sh/hook-weight: "100" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kyverno.fullname" . }}:migrate-resources +subjects: + - kind: ServiceAccount + name: {{ template "kyverno.fullname" . }}-migrate-resources + namespace: {{ template "kyverno.namespace" . }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kyverno.fullname" . }}-migrate-resources + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "100" +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "kyverno.fullname" . }}-migrate-resources + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + helm.sh/hook-weight: "200" +spec: + backoffLimit: 2 + template: + metadata: + {{- with .Values.crds.migration.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.crds.migration.podLabels }} + labels: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "kyverno.fullname" . }}-migrate-resources + {{- with .Values.crds.migration.podSecurityContext }} + securityContext: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: kubectl + image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.crds.migration.image "defaultTag" (default .Chart.AppVersion .Values.crds.migration.image.tag))) | quote }} + imagePullPolicy: {{ .Values.crds.migration.image.pullPolicy }} + args: + - migrate + {{- range .Values.crds.migration.resources }} + - --resource + - {{ . }} + {{- end }} + {{- with .Values.crds.migration.podResources }} + resources: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .Values.crds.migration.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.crds.migration.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.crds.migration.tolerations | default .Values.global.tolerations}} + tolerations: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.crds.migration.nodeSelector | default .Values.global.nodeSelector }} + nodeSelector: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- if or .Values.crds.migration.podAntiAffinity .Values.crds.migration.podAffinity .Values.crds.migration.nodeAffinity }} + affinity: + {{- with .Values.crds.migration.podAntiAffinity }} + podAntiAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.crds.migration.podAffinity }} + podAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.crds.migration.nodeAffinity }} + nodeAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml b/k3-kyverno-test/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml new file mode 100644 index 0000000..3f3aade --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml @@ -0,0 +1,82 @@ +{{- if .Values.webhooksCleanup.enabled -}} +{{- if not .Values.templating.enabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "kyverno.fullname" . }}-scale-to-zero + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: pre-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + helm.sh/hook-weight: "100" +spec: + backoffLimit: 2 + template: + metadata: + {{- with .Values.webhooksCleanup.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.webhooksCleanup.podLabels }} + labels: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "kyverno.admission-controller.serviceAccountName" . }} + {{- with .Values.webhooksCleanup.podSecurityContext }} + securityContext: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + restartPolicy: Never + {{- with .Values.webhooksCleanup.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + containers: + - name: kubectl + image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.webhooksCleanup.image "defaultTag" (default .Chart.AppVersion .Values.webhooksCleanup.image.tag))) | quote }} + imagePullPolicy: {{ .Values.webhooksCleanup.image.pullPolicy }} + command: + - /bin/bash + - '-c' + - |- + set -euo pipefail + kubectl scale -n {{ template "kyverno.namespace" . }} deployment -l app.kubernetes.io/part-of={{ template "kyverno.fullname" . }} --replicas=0 + sleep 30 + kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno + kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno + {{- with .Values.webhooksCleanup.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .Values.webhooksCleanup.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.webhooksCleanup.tolerations | default .Values.global.tolerations}} + tolerations: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.webhooksCleanup.nodeSelector | default .Values.global.nodeSelector }} + nodeSelector: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- if or .Values.webhooksCleanup.podAntiAffinity .Values.webhooksCleanup.podAffinity .Values.webhooksCleanup.nodeAffinity }} + affinity: + {{- with .Values.webhooksCleanup.podAntiAffinity }} + podAntiAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.webhooksCleanup.podAffinity }} + podAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.webhooksCleanup.nodeAffinity }} + nodeAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/rbac/_helpers.tpl b/k3-kyverno-test/kyverno/templates/rbac/_helpers.tpl new file mode 100644 index 0000000..b87759d --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/rbac/_helpers.tpl @@ -0,0 +1,35 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.rbac.labels.admin" -}} +{{- $labels := list + (include "kyverno.labels.common" .) + (include "kyverno.rbac.matchLabels" .) +-}} +{{- if .Values.rbac.roles.aggregate.admin -}} +{{- $labels = append $labels "rbac.authorization.k8s.io/aggregate-to-admin: 'true'" -}} +{{- end -}} +{{- template "kyverno.labels.merge" $labels -}} +{{- end -}} + + +{{- define "kyverno.rbac.labels.view" -}} +{{- $labels := list + (include "kyverno.labels.common" .) + (include "kyverno.rbac.matchLabels" .) +-}} +{{- if .Values.rbac.roles.aggregate.view -}} +{{- $labels = append $labels "rbac.authorization.k8s.io/aggregate-to-view: 'true'" -}} +{{- end -}} +{{- template "kyverno.labels.merge" $labels -}} +{{- end -}} + +{{- define "kyverno.rbac.matchLabels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.matchLabels.common" .) + (include "kyverno.labels.component" "rbac") +) -}} +{{- end -}} + +{{- define "kyverno.rbac.roleName" -}} +{{ include "kyverno.fullname" . }}:rbac +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/rbac/policies.yaml b/k3-kyverno-test/kyverno/templates/rbac/policies.yaml new file mode 100644 index 0000000..c949f80 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/rbac/policies.yaml @@ -0,0 +1,43 @@ +{{- if .Values.admissionController.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.rbac.roleName" . }}:admin:policies + labels: + {{- include "kyverno.rbac.labels.admin" . | nindent 4 }} +rules: + - apiGroups: + - kyverno.io + resources: + - cleanuppolicies + - clustercleanuppolicies + - policies + - clusterpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.rbac.roleName" . }}:view:policies + labels: + {{- include "kyverno.rbac.labels.view" . | nindent 4 }} +rules: + - apiGroups: + - kyverno.io + resources: + - cleanuppolicies + - clustercleanuppolicies + - policies + - clusterpolicies + verbs: + - get + - list + - watch +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/rbac/policyreports.yaml b/k3-kyverno-test/kyverno/templates/rbac/policyreports.yaml new file mode 100644 index 0000000..0b85139 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/rbac/policyreports.yaml @@ -0,0 +1,39 @@ +{{- if .Values.admissionController.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.rbac.roleName" . }}:admin:policyreports + labels: + {{- include "kyverno.rbac.labels.admin" . | nindent 4 }} +rules: + - apiGroups: + - wgpolicyk8s.io + resources: + - policyreports + - clusterpolicyreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.rbac.roleName" . }}:view:policyreports + labels: + {{- include "kyverno.rbac.labels.view" . | nindent 4 }} +rules: + - apiGroups: + - wgpolicyk8s.io + resources: + - policyreports + - clusterpolicyreports + verbs: + - get + - list + - watch +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/rbac/reports.yaml b/k3-kyverno-test/kyverno/templates/rbac/reports.yaml new file mode 100644 index 0000000..89ea5dc --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/rbac/reports.yaml @@ -0,0 +1,39 @@ +{{- if .Values.admissionController.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.rbac.roleName" . }}:admin:reports + labels: + {{- include "kyverno.rbac.labels.admin" . | nindent 4 }} +rules: + - apiGroups: + - reports.kyverno.io + resources: + - ephemeralreports + - clusterephemeralreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.rbac.roleName" . }}:view:reports + labels: + {{- include "kyverno.rbac.labels.view" . | nindent 4 }} +rules: + - apiGroups: + - reports.kyverno.io + resources: + - ephemeralreports + - clusterephemeralreports + verbs: + - get + - list + - watch +{{- end -}} \ No newline at end of file diff --git a/k3-kyverno-test/kyverno/templates/rbac/updaterequests.yaml b/k3-kyverno-test/kyverno/templates/rbac/updaterequests.yaml new file mode 100644 index 0000000..4d81ad7 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/rbac/updaterequests.yaml @@ -0,0 +1,37 @@ +{{- if .Values.admissionController.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.rbac.roleName" . }}:admin:updaterequests + labels: + {{- include "kyverno.rbac.labels.admin" . | nindent 4 }} +rules: + - apiGroups: + - kyverno.io + resources: + - updaterequests + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.rbac.roleName" . }}:view:updaterequests + labels: + {{- include "kyverno.rbac.labels.view" . | nindent 4 }} +rules: + - apiGroups: + - kyverno.io + resources: + - updaterequests + verbs: + - get + - list + - watch +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/reports-controller/_helpers.tpl b/k3-kyverno-test/kyverno/templates/reports-controller/_helpers.tpl new file mode 100644 index 0000000..fe8e41e --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/reports-controller/_helpers.tpl @@ -0,0 +1,44 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.reports-controller.name" -}} +{{ template "kyverno.name" . }}-reports-controller +{{- end -}} + +{{- define "kyverno.reports-controller.labels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.labels.common" .) + (include "kyverno.reports-controller.matchLabels" .) +) -}} +{{- end -}} + +{{- define "kyverno.reports-controller.matchLabels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.matchLabels.common" .) + (include "kyverno.labels.component" "reports-controller") +) -}} +{{- end -}} + +{{- define "kyverno.reports-controller.image" -}} +{{- $imageRegistry := default (default .image.defaultRegistry .globalRegistry) .image.registry -}} +{{- if $imageRegistry -}} + {{ $imageRegistry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} +{{- else -}} + {{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} +{{- end -}} +{{- end -}} + +{{- define "kyverno.reports-controller.roleName" -}} +{{ include "kyverno.fullname" . }}:reports-controller +{{- end -}} + +{{- define "kyverno.reports-controller.serviceAccountName" -}} +{{- if .Values.reportsController.rbac.create -}} + {{ default (include "kyverno.reports-controller.name" .) .Values.reportsController.rbac.serviceAccount.name }} +{{- else -}} + {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.reportsController.rbac.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{- define "kyverno.reports-controller.caCertificatesConfigMapName" -}} +{{ printf "%s-ca-certificates" (include "kyverno.reports-controller.name" .) }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/reports-controller/clusterrole.yaml b/k3-kyverno-test/kyverno/templates/reports-controller/clusterrole.yaml new file mode 100644 index 0000000..2f74f29 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/reports-controller/clusterrole.yaml @@ -0,0 +1,142 @@ +{{- if .Values.reportsController.enabled -}} +{{- if .Values.reportsController.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.reports-controller.roleName" . }} + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.kyverno.io/aggregate-to-reports-controller: "true" + - matchLabels: + {{- include "kyverno.reports-controller.matchLabels" . | nindent 8 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.reports-controller.roleName" . }}:core + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} +rules: + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - '' + resources: + - configmaps + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - kyverno.io + resources: + - globalcontextentries + - globalcontextentries/status + - policyexceptions + - policies + - clusterpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - policies.kyverno.io + resources: + - validatingpolicies + - validatingpolicies/status + - imagevalidatingpolicies + - imagevalidatingpolicies/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - policies.kyverno.io + resources: + - policyexceptions + - policyexceptions/status + verbs: + - get + - list + - watch + - apiGroups: + - reports.kyverno.io + resources: + - ephemeralreports + - clusterephemeralreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - wgpolicyk8s.io + resources: + - policyreports + - policyreports/status + - clusterpolicyreports + - clusterpolicyreports/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - '' + - events.k8s.io + resources: + - events + verbs: + - create + - patch +{{- with .Values.reportsController.rbac.coreClusterRole.extraResources }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- with .Values.reportsController.rbac.clusterRole.extraResources }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.reports-controller.roleName" $ }}:additional + labels: + {{- include "kyverno.reports-controller.labels" $ | nindent 4 }} +rules: + {{- range . }} + - apiGroups: + {{- toYaml .apiGroups | nindent 6 }} + resources: + {{- toYaml .resources | nindent 6 }} + verbs: + - get + - list + - watch + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/k3-kyverno-test/kyverno/templates/reports-controller/clusterrolebinding.yaml b/k3-kyverno-test/kyverno/templates/reports-controller/clusterrolebinding.yaml new file mode 100644 index 0000000..a2b7600 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/reports-controller/clusterrolebinding.yaml @@ -0,0 +1,35 @@ +{{- if .Values.reportsController.enabled -}} +{{- if .Values.reportsController.rbac.create -}} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.reports-controller.roleName" . }} + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kyverno.reports-controller.roleName" . }} +subjects: +- kind: ServiceAccount + name: {{ template "kyverno.reports-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- if .Values.reportsController.rbac.createViewRoleBinding }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.reports-controller.roleName" . }}:view + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.reportsController.rbac.viewRoleName }} +subjects: +- kind: ServiceAccount + name: {{ template "kyverno.reports-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/reports-controller/configmap.yaml b/k3-kyverno-test/kyverno/templates/reports-controller/configmap.yaml new file mode 100644 index 0000000..ad23aa8 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/reports-controller/configmap.yaml @@ -0,0 +1,12 @@ +{{- if or .Values.reportsController.caCertificates.data .Values.global.caCertificates.data -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kyverno.reports-controller.caCertificatesConfigMapName" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +data: + ca-certificates: | + {{ .Values.reportsController.caCertificates.data | default .Values.global.caCertificates.data | indent 4 | trim }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/reports-controller/deployment.yaml b/k3-kyverno-test/kyverno/templates/reports-controller/deployment.yaml new file mode 100644 index 0000000..f674c45 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/reports-controller/deployment.yaml @@ -0,0 +1,211 @@ +{{- if .Values.reportsController.enabled -}} +{{- if not .Values.templating.debug -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "kyverno.reports-controller.name" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} + {{- with .Values.reportsController.annotations }} + annotations: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} +spec: + replicas: {{ template "kyverno.deployment.replicas" .Values.reportsController.replicas }} + revisionHistoryLimit: {{ .Values.reportsController.revisionHistoryLimit }} + {{- with .Values.reportsController.updateStrategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- include "kyverno.reports-controller.matchLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 8 }} + {{- with .Values.reportsController.podLabels }} + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.reportsController.podAnnotations }} + annotations: {{ tpl (toYaml .) $ | nindent 8 }} + {{- end }} + spec: + {{- with .Values.reportsController.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.reportsController.podSecurityContext }} + securityContext: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.reportsController.nodeSelector | default .Values.global.nodeSelector }} + nodeSelector: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.reportsController.tolerations | default .Values.global.tolerations}} + tolerations: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.reportsController.topologySpreadConstraints }} + topologySpreadConstraints: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.reportsController.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} + {{- with .Values.reportsController.hostNetwork }} + hostNetwork: {{ . }} + {{- end }} + {{- with .Values.reportsController.dnsPolicy }} + dnsPolicy: {{ . }} + {{- end }} + {{- with .Values.reportsController.dnsConfig }} + dnsConfig: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- if or .Values.reportsController.antiAffinity.enabled .Values.reportsController.podAffinity .Values.reportsController.nodeAffinity }} + affinity: + {{- if .Values.reportsController.antiAffinity.enabled }} + {{- with .Values.reportsController.podAntiAffinity }} + podAntiAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- end }} + {{- with .Values.reportsController.podAffinity }} + podAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.reportsController.nodeAffinity }} + nodeAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{ template "kyverno.reports-controller.serviceAccountName" . }} + containers: + - name: controller + image: {{ include "kyverno.reports-controller.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.reportsController.image "defaultTag" .Chart.AppVersion) | quote }} + imagePullPolicy: {{ .Values.reportsController.image.pullPolicy }} + ports: + - containerPort: {{ .Values.reportsController.server.port }} + name: https + protocol: TCP + - containerPort: {{ .Values.reportsController.metering.port }} + name: metrics + protocol: TCP + {{ if .Values.reportsController.profiling.enabled }} + - containerPort: {{ .Values.reportsController.profiling.port }} + name: profiling-port + protocol: TCP + {{- end }} + args: + {{- if .Values.reportsController.tracing.enabled }} + - --enableTracing + - --tracingAddress={{ .Values.reportsController.tracing.address }} + - --tracingPort={{ .Values.reportsController.tracing.port }} + {{- with .Values.reportsController.tracing.creds }} + - --tracingCreds={{ . }} + {{- end }} + {{- end }} + - --disableMetrics={{ .Values.reportsController.metering.disabled }} + {{- if not .Values.reportsController.metering.disabled }} + - --otelConfig={{ .Values.reportsController.metering.config }} + - --metricsPort={{ .Values.reportsController.metering.port }} + {{- with .Values.reportsController.metering.collector }} + - --otelCollector={{ . }} + {{- end }} + {{- with .Values.reportsController.metering.creds }} + - --transportCreds={{ . }} + {{- end }} + {{- end }} + {{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }} + - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }} + {{- end }} + - --resyncPeriod={{ .Values.reportsController.resyncPeriod | default .Values.global.resyncPeriod }} + {{- include "kyverno.features.flags" (pick (mergeOverwrite (deepCopy .Values.features) .Values.reportsController.featuresOverride) + "reporting" + "admissionReports" + "aggregateReports" + "policyReports" + "validatingAdmissionPolicyReports" + "backgroundScan" + "configMapCaching" + "deferredLoading" + "globalContext" + "logging" + "omitEvents" + "policyExceptions" + "registryClient" + "tuf" + ) | nindent 12 }} + {{- range $key, $value := .Values.reportsController.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} + {{- if .Values.reportsController.profiling.enabled }} + - --profile=true + - --profilePort={{ .Values.reportsController.profiling.port }} + {{- end }} + {{- if not .Values.reportsController.sanityChecks }} + - --reportsCRDsSanityChecks=false + {{- end }} + env: + - name: KYVERNO_SERVICEACCOUNT_NAME + value: {{ template "kyverno.reports-controller.serviceAccountName" . }} + - name: KYVERNO_DEPLOYMENT + value: {{ template "kyverno.reports-controller.name" . }} + - name: INIT_CONFIG + value: {{ template "kyverno.config.configMapName" . }} + - name: METRICS_CONFIG + value: {{ template "kyverno.config.metricsConfigMapName" . }} + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: TUF_ROOT + value: {{ .Values.reportsController.tufRootMountPath }} + {{- with (concat .Values.global.extraEnvVars .Values.reportsController.extraEnvVars) }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.reportsController.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .Values.reportsController.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.reportsController.tufRootMountPath }} + name: sigstore + {{- if or .Values.reportsController.caCertificates.data .Values.global.caCertificates.data .Values.reportsController.caCertificates.volume .Values.global.caCertificates.volume }} + - name: ca-certificates + mountPath: /etc/ssl/certs/ca-certificates.crt + {{- if or .Values.reportsController.caCertificates.data .Values.global.caCertificates.data }} + subPath: ca-certificates.crt + {{- end }} + {{- end }} + volumes: + - name: sigstore + {{- toYaml (required "A valid .Values.reportsController.sigstoreVolume entry is required" .Values.reportsController.sigstoreVolume) | nindent 8 }} + {{- if or .Values.reportsController.caCertificates.data .Values.global.caCertificates.data }} + - name: ca-certificates + configMap: + name: {{ include "kyverno.reports-controller.caCertificatesConfigMapName" . }} + items: + - key: ca-certificates + path: ca-certificates.crt + {{- else if or .Values.reportsController.caCertificates.volume .Values.global.caCertificates.volume }} + {{- with (.Values.reportsController.caCertificates.volume | default .Values.global.caCertificates.volume) }} + - name: ca-certificates + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/reports-controller/flowschema.yaml b/k3-kyverno-test/kyverno/templates/reports-controller/flowschema.yaml new file mode 100644 index 0000000..7dbd98a --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/reports-controller/flowschema.yaml @@ -0,0 +1,120 @@ +{{- if .Values.reportsController.apiPriorityAndFairness }} +apiVersion: {{ template "kyverno.flowcontrol.apiVersion" . }} +kind: FlowSchema +metadata: + name: {{ template "kyverno.reports-controller.name" . }} + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} +spec: + priorityLevelConfiguration: + name: {{ template "kyverno.reports-controller.name" . }} + rules: + - resourceRules: + - apiGroups: + - '*' + namespaces: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + - apiGroups: + - reports.kyverno.io + clusterScope: true + resources: + - clusterephemeralreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - reports.kyverno.io + namespaces: + - '*' + resources: + - ephemeralreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - wgpolicyk8s.io + clusterScope: true + resources: + - clusterpolicyreports + - clusterpolicyreports/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - wgpolicyk8s.io + namespaces: + - '*' + resources: + - policyreports + - policyreports/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - '' + - events.k8s.io + namespaces: + - '*' + resources: + - events + verbs: + - create + - patch + - apiGroups: + - '' + namespaces: + - {{ template "kyverno.namespace" . }} + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - coordination.k8s.io + namespaces: + - {{ template "kyverno.namespace" . }} + resources: + - leases + verbs: + - create + - delete + - get + - patch + - update + subjects: + - kind: ServiceAccount + serviceAccount: + name: {{ template "kyverno.reports-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- end }} \ No newline at end of file diff --git a/k3-kyverno-test/kyverno/templates/reports-controller/networkpolicy.yaml b/k3-kyverno-test/kyverno/templates/reports-controller/networkpolicy.yaml new file mode 100644 index 0000000..e70c6d8 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/reports-controller/networkpolicy.yaml @@ -0,0 +1,30 @@ +{{- if .Values.reportsController.enabled -}} +{{- if .Values.reportsController.networkPolicy.enabled -}} +{{- if .Values.reportsController.metricsService.create -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "kyverno.reports-controller.name" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "kyverno.reports-controller.matchLabels" . | nindent 6 }} + policyTypes: + - Ingress + {{- if .Values.reportsController.networkPolicy.ingressFrom }} + ingress: + - from: + {{- toYaml .Values.reportsController.networkPolicy.ingressFrom | nindent 8 }} + ports: + - protocol: TCP + port: {{ .Values.reportsController.metricsService.port }} + {{- else }} + ingress: + - {} + {{- end }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/reports-controller/poddisruptionbudget.yaml b/k3-kyverno-test/kyverno/templates/reports-controller/poddisruptionbudget.yaml new file mode 100644 index 0000000..de6b624 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/reports-controller/poddisruptionbudget.yaml @@ -0,0 +1,16 @@ +{{- if .Values.reportsController.enabled -}} +{{- if or .Values.reportsController.podDisruptionBudget.enabled (gt (int .Values.reportsController.replicas) 1) -}} +apiVersion: {{ template "kyverno.pdb.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ template "kyverno.reports-controller.name" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} +spec: + {{- include "kyverno.pdb.spec" .Values.reportsController.podDisruptionBudget | nindent 2 }} + selector: + matchLabels: + {{- include "kyverno.reports-controller.matchLabels" . | nindent 6 }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/reports-controller/prioritylevelconfiguration.yaml b/k3-kyverno-test/kyverno/templates/reports-controller/prioritylevelconfiguration.yaml new file mode 100644 index 0000000..a5a475e --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/reports-controller/prioritylevelconfiguration.yaml @@ -0,0 +1,12 @@ +{{- if .Values.reportsController.apiPriorityAndFairness }} +apiVersion: {{ template "kyverno.flowcontrol.apiVersion" . }} +kind: PriorityLevelConfiguration +metadata: + name: {{ template "kyverno.reports-controller.name" . }} + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} +{{- with .Values.reportsController.priorityLevelConfigurationSpec }} +spec: + {{- tpl (toYaml .) $ | nindent 8 }} +{{- end }} +{{- end }} diff --git a/k3-kyverno-test/kyverno/templates/reports-controller/role.yaml b/k3-kyverno-test/kyverno/templates/reports-controller/role.yaml new file mode 100644 index 0000000..6b163b7 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/reports-controller/role.yaml @@ -0,0 +1,48 @@ +{{- if .Values.reportsController.enabled -}} +{{- if .Values.reportsController.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "kyverno.reports-controller.roleName" . }} + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} + namespace: {{ template "kyverno.namespace" . }} +rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + resourceNames: + - {{ include "kyverno.config.configMapName" . }} + - {{ include "kyverno.config.metricsConfigMapName" . }} + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - delete + - get + - patch + - update + resourceNames: + - kyverno-reports-controller +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/reports-controller/rolebinding.yaml b/k3-kyverno-test/kyverno/templates/reports-controller/rolebinding.yaml new file mode 100644 index 0000000..d43066b --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/reports-controller/rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.reportsController.enabled -}} +{{- if .Values.reportsController.rbac.create -}} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.reports-controller.roleName" . }} + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} + namespace: {{ template "kyverno.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "kyverno.reports-controller.roleName" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kyverno.reports-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/reports-controller/service.yaml b/k3-kyverno-test/kyverno/templates/reports-controller/service.yaml new file mode 100644 index 0000000..34fdfee --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/reports-controller/service.yaml @@ -0,0 +1,50 @@ +{{- if .Values.reportsController.enabled -}} +{{- if .Values.reportsController.metricsService.create -}} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.reports-controller.name" . }}-metrics + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} + {{- with .Values.reportsController.metricsService.annotations }} + annotations: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} +spec: + ports: + - port: {{ .Values.reportsController.metricsService.port }} + targetPort: {{ .Values.reportsController.metering.port }} + protocol: TCP + name: metrics-port + {{- if and (eq .Values.reportsController.metricsService.type "NodePort") (not (empty .Values.reportsController.metricsService.nodePort)) }} + nodePort: {{ .Values.reportsController.metricsService.nodePort }} + {{- end }} + selector: + {{- include "kyverno.reports-controller.matchLabels" . | nindent 4 }} + type: {{ .Values.reportsController.metricsService.type }} +{{- end -}} +{{- end -}} +{{- if .Values.reportsController.profiling.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.reports-controller.name" . }}-profiling + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} +spec: + ports: + - port: {{ .Values.reportsController.profiling.port }} + targetPort: {{ .Values.reportsController.profiling.port }} + protocol: TCP + name: profiling-port + {{- if and (eq .Values.reportsController.profiling.serviceType "NodePort") (not (empty .Values.reportsController.profiling.nodePort)) }} + nodePort: {{ .Values.reportsController.profiling.nodePort }} + {{- end }} + selector: + {{- include "kyverno.reports-controller.matchLabels" . | nindent 4 }} + type: {{ .Values.reportsController.profiling.serviceType }} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/reports-controller/serviceaccount.yaml b/k3-kyverno-test/kyverno/templates/reports-controller/serviceaccount.yaml new file mode 100644 index 0000000..44ddeda --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/reports-controller/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.reportsController.enabled -}} +{{- if .Values.reportsController.rbac.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kyverno.reports-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} + {{- with .Values.reportsController.rbac.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/reports-controller/servicemonitor.yaml b/k3-kyverno-test/kyverno/templates/reports-controller/servicemonitor.yaml new file mode 100644 index 0000000..681e3d9 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/reports-controller/servicemonitor.yaml @@ -0,0 +1,42 @@ +{{- if .Values.reportsController.enabled -}} +{{- if .Values.reportsController.serviceMonitor.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "kyverno.reports-controller.name" . }} + {{- if .Values.reportsController.serviceMonitor.namespace }} + namespace: {{ .Values.reportsController.serviceMonitor.namespace }} + {{- else }} + namespace: {{ template "kyverno.namespace" . }} + {{- end }} + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} + {{- with .Values.reportsController.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "kyverno.reports-controller.matchLabels" . | nindent 6 }} + namespaceSelector: + matchNames: + - {{ template "kyverno.namespace" . }} + endpoints: + - port: metrics-port + interval: {{ .Values.reportsController.serviceMonitor.interval }} + scrapeTimeout: {{ .Values.reportsController.serviceMonitor.scrapeTimeout }} + {{- if .Values.reportsController.serviceMonitor.secure }} + scheme: https + tlsConfig: + {{- toYaml .Values.reportsController.serviceMonitor.tlsConfig | nindent 8 }} + {{- end }} + {{- with .Values.reportsController.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.reportsController.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/tests/_helpers.tpl b/k3-kyverno-test/kyverno/templates/tests/_helpers.tpl new file mode 100644 index 0000000..f1e1a3e --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/tests/_helpers.tpl @@ -0,0 +1,27 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.test.labels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.labels.common" .) + (include "kyverno.test.matchLabels" .) +) -}} +{{- end -}} + +{{- define "kyverno.test.matchLabels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.matchLabels.common" .) + (include "kyverno.labels.component" "test") +) -}} +{{- end -}} + +{{- define "kyverno.test.annotations" -}} +helm.sh/hook: test +{{- end -}} + +{{- define "kyverno.test.image" -}} +{{- template "kyverno.image" (dict "image" .Values.test.image "defaultTag" "latest") -}} +{{- end -}} + +{{- define "kyverno.test.imagePullPolicy" -}} +{{- default .Values.admissionController.container.image.pullPolicy .Values.test.image.pullPolicy -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/tests/admission-controller-liveness.yaml b/k3-kyverno-test/kyverno/templates/tests/admission-controller-liveness.yaml new file mode 100644 index 0000000..756a309 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/tests/admission-controller-liveness.yaml @@ -0,0 +1,33 @@ +{{- if .Values.admissionController.enabled -}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "kyverno.fullname" . }}-admission-controller-liveness + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.test.labels" . | nindent 4 }} + annotations: + {{- include "kyverno.test.annotations" . | nindent 4 }} +spec: + restartPolicy: Never + {{- with .Values.test.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} + containers: + - name: test + image: {{ template "kyverno.test.image" . }} + imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }} + {{- with .Values.test.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.test.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + command: + - /bin/sh + - -c + - sleep {{ .Values.test.sleep }} ; wget -O- -S --no-check-certificate https://{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.admissionController.service.port }}/health/liveness +{{- end -}} \ No newline at end of file diff --git a/k3-kyverno-test/kyverno/templates/tests/admission-controller-metrics.yaml b/k3-kyverno-test/kyverno/templates/tests/admission-controller-metrics.yaml new file mode 100644 index 0000000..44d6c6a --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/tests/admission-controller-metrics.yaml @@ -0,0 +1,33 @@ +{{- if .Values.admissionController.metricsService.create -}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "kyverno.fullname" . }}-admission-controller-metrics + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.test.labels" . | nindent 4 }} + annotations: + {{- include "kyverno.test.annotations" . | nindent 4 }} +spec: + restartPolicy: Never + {{- with .Values.test.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} + containers: + - name: test + image: {{ template "kyverno.test.image" . }} + imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }} + {{- with .Values.test.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.test.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + command: + - /bin/sh + - -c + - sleep {{ .Values.test.sleep }} ; wget -O- -S --no-check-certificate http://{{ template "kyverno.admission-controller.serviceName" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.admissionController.metricsService.port }}/metrics +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/tests/admission-controller-readiness.yaml b/k3-kyverno-test/kyverno/templates/tests/admission-controller-readiness.yaml new file mode 100644 index 0000000..093a0a2 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/tests/admission-controller-readiness.yaml @@ -0,0 +1,33 @@ +{{- if .Values.admissionController.enabled -}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "kyverno.fullname" . }}-admission-controller-readiness + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.test.labels" . | nindent 4 }} + annotations: + {{- include "kyverno.test.annotations" . | nindent 4 }} +spec: + restartPolicy: Never + {{- with .Values.test.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} + containers: + - name: test + image: {{ template "kyverno.test.image" . }} + imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }} + {{- with .Values.test.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.test.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + command: + - /bin/sh + - -c + - sleep {{ .Values.test.sleep }} ; wget -O- -S --no-check-certificate https://{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.admissionController.service.port }}/health/readiness +{{- end -}} \ No newline at end of file diff --git a/k3-kyverno-test/kyverno/templates/tests/cleanup-controller-liveness.yaml b/k3-kyverno-test/kyverno/templates/tests/cleanup-controller-liveness.yaml new file mode 100644 index 0000000..a667f6b --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/tests/cleanup-controller-liveness.yaml @@ -0,0 +1,33 @@ +{{- if .Values.cleanupController.enabled -}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "kyverno.fullname" . }}-cleanup-controller-liveness + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.test.labels" . | nindent 4 }} + annotations: + {{- include "kyverno.test.annotations" . | nindent 4 }} +spec: + restartPolicy: Never + {{- with .Values.test.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} + containers: + - name: test + image: {{ template "kyverno.test.image" . }} + imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }} + {{- with .Values.test.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.test.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + command: + - /bin/sh + - -c + - sleep {{ .Values.test.sleep }} ; wget -O- -S --no-check-certificate https://{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.cleanupController.service.port }}/health/liveness +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/tests/cleanup-controller-metrics.yaml b/k3-kyverno-test/kyverno/templates/tests/cleanup-controller-metrics.yaml new file mode 100644 index 0000000..080d7e8 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/tests/cleanup-controller-metrics.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.cleanupController.enabled .Values.cleanupController.metricsService.create -}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "kyverno.fullname" . }}-cleanup-controller-metrics + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.test.labels" . | nindent 4 }} + annotations: + {{- include "kyverno.test.annotations" . | nindent 4 }} +spec: + restartPolicy: Never + {{- with .Values.test.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} + containers: + - name: test + image: {{ template "kyverno.test.image" . }} + imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }} + {{- with .Values.test.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.test.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + command: + - /bin/sh + - -c + - sleep {{ .Values.test.sleep }} ; wget -O- -S --no-check-certificate http://{{ template "kyverno.cleanup-controller.name" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.cleanupController.metricsService.port }}/metrics +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/tests/cleanup-controller-readiness.yaml b/k3-kyverno-test/kyverno/templates/tests/cleanup-controller-readiness.yaml new file mode 100644 index 0000000..e5ef16e --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/tests/cleanup-controller-readiness.yaml @@ -0,0 +1,33 @@ +{{- if .Values.cleanupController.enabled -}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "kyverno.fullname" . }}-cleanup-controller-readiness + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.test.labels" . | nindent 4 }} + annotations: + {{- include "kyverno.test.annotations" . | nindent 4 }} +spec: + restartPolicy: Never + {{- with .Values.test.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} + containers: + - name: test + image: {{ template "kyverno.test.image" . }} + imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }} + {{- with .Values.test.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.test.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + command: + - /bin/sh + - -c + - sleep {{ .Values.test.sleep }} ; wget -O- -S --no-check-certificate https://{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.cleanupController.service.port }}/health/readiness +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/tests/reports-controller-metrics.yaml b/k3-kyverno-test/kyverno/templates/tests/reports-controller-metrics.yaml new file mode 100644 index 0000000..386e11f --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/tests/reports-controller-metrics.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.reportsController.enabled .Values.reportsController.metricsService.create -}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "kyverno.fullname" . }}-reports-controller-metrics + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.test.labels" . | nindent 4 }} + annotations: + {{- include "kyverno.test.annotations" . | nindent 4 }} +spec: + restartPolicy: Never + {{- with .Values.test.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} + containers: + - name: test + image: {{ template "kyverno.test.image" . }} + imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }} + {{- with .Values.test.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.test.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + command: + - /bin/sh + - -c + - sleep {{ .Values.test.sleep }} ; wget -O- -S --no-check-certificate http://{{ template "kyverno.reports-controller.name" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.reportsController.metricsService.port }}/metrics +{{- end -}} diff --git a/k3-kyverno-test/kyverno/templates/validate.yaml b/k3-kyverno-test/kyverno/templates/validate.yaml new file mode 100644 index 0000000..aabd335 --- /dev/null +++ b/k3-kyverno-test/kyverno/templates/validate.yaml @@ -0,0 +1,43 @@ +{{- if and (eq .Values.cleanupController.enabled true) (eq .Values.crds.groups.kyverno.cleanuppolicies false) }} +{{- fail "CRD cleanuppolicies disabled while cleanupController enabled" }} +{{- end }} +{{- if and (eq .Values.cleanupController.enabled true) (eq .Values.crds.groups.kyverno.clustercleanuppolicies false) }} +{{- fail "CRD clustercleanuppolicies disabled while cleanupController enabled" }} +{{- end }} +{{- if and (eq .Values.reportsController.enabled true) (eq .Values.reportsController.sanityChecks true) (eq .Values.crds.groups.wgpolicyk8s.clusterpolicyreports false) }} +{{- fail "CRD clusterpolicyreports disabled while reportsController enabled" }} +{{- end }} +{{- if and (eq .Values.reportsController.enabled true) (eq .Values.reportsController.sanityChecks true) (eq .Values.crds.groups.wgpolicyk8s.policyreports false) }} +{{- fail "CRD policyreports disabled while reportsController enabled" }} +{{- end }} +{{- if and (eq .Values.reportsController.enabled true) (eq .Values.reportsController.sanityChecks true) (eq .Values.crds.groups.reports.ephemeralreports false) }} +{{- fail "CRD ephemeralreports disabled while reportsController enabled" }} +{{- end }} +{{- if and (eq .Values.reportsController.enabled true) (eq .Values.reportsController.sanityChecks true) (eq .Values.crds.groups.reports.clusterephemeralreports false) }} +{{- fail "CRD clusterephemeralreports disabled while reportsController enabled" }} +{{- end }} + +{{- if hasKey .Values "mode" -}} + {{- fail "mode is not supported anymore, please remove it from your release and use admissionController.replicas instead." -}} +{{- end -}} + +{{- if eq (include "kyverno.namespace" .) "kube-system" -}} + {{- fail "Kyverno cannot be installed in namespace kube-system." -}} +{{- end -}} + +{{- if not .Values.upgrade.fromV2 -}} + {{- $v2 := lookup "apps/v1" "Deployment" (include "kyverno.namespace" .) (include "kyverno.fullname" .) -}} + {{- if $v2 -}} + {{- fail (join "\n" (list + "" + "" + " +--------------------------------------------------------------------------------------------------------------------------------------+" + " | An earlier Helm installation of Kyverno was detected. |" + " | Given this chart version has significant breaking changes, the upgrade has been blocked. |" + " | Please review the release notes and chart README section and then, once prepared, set `upgrade.fromV2: true` once ready to proceed. |" + " +--------------------------------------------------------------------------------------------------------------------------------------+" + "" + )) + -}} + {{- end -}} +{{- end -}} diff --git a/k3-kyverno-test/kyverno/values.yaml b/k3-kyverno-test/kyverno/values.yaml new file mode 100644 index 0000000..d793c55 --- /dev/null +++ b/k3-kyverno-test/kyverno/values.yaml @@ -0,0 +1,2152 @@ +# -- Internal settings used with `helm template` to generate install manifest +# @ignored +templating: + enabled: false + debug: false + version: ~ + +global: + + image: + # -- (string) Global value that allows to set a single image registry across all deployments. + # When set, it will override any values set under `.image.registry` across the chart. + registry: ~ + # -- (list) Global list of Image pull secrets + # When set, it will override any values set under `imagePullSecrets` under different components across the chart. + imagePullSecrets: [] + + # -- Resync period for informers + resyncPeriod: 15m + + caCertificates: + # -- Global CA certificates to use with Kyverno deployments + # This value is expected to be one large string of CA certificates + # Individual controller values will override this global value + data: ~ + + # -- Global value to set single volume to be mounted for CA certificates for all deployments. + # Not used when `.Values.global.caCertificates.data` is defined + # Individual controller values will override this global value + volume: {} + # Example to use hostPath: + # hostPath: + # path: /etc/pki/tls/ca-certificates.crt + # type: File + + # -- Additional container environment variables to apply to all containers and init containers + extraEnvVars: [] + # Example setting proxy + # extraEnvVars: + # - name: HTTPS_PROXY + # value: 'https://proxy.example.com:3128' + + # -- Global node labels for pod assignment. Non-global values will override the global value. + nodeSelector: {} + + # -- Global List of node taints to tolerate. Non-global values will override the global value. + tolerations: [] + +# -- (string) Override the name of the chart +nameOverride: ~ + +# -- (string) Override the expanded name of the chart +fullnameOverride: ~ + +# -- (string) Override the namespace the chart deploys to +namespaceOverride: ~ + +upgrade: + # -- Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed. + fromV2: false + +apiVersionOverride: + # -- (string) Override api version used to create `PodDisruptionBudget`` resources. + # When not specified the chart will check if `policy/v1/PodDisruptionBudget` is available to + # determine the api version automatically. + podDisruptionBudget: ~ + +rbac: + roles: + # -- Aggregate ClusterRoles to Kubernetes default user-facing roles. For more information, see [User-facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) + aggregate: + admin: true + view: true + +# CRDs configuration +crds: + + # -- Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created + install: true + + groups: + + # -- Install CRDs in group `kyverno.io` + kyverno: + cleanuppolicies: true + clustercleanuppolicies: true + clusterpolicies: true + globalcontextentries: true + policies: true + policyexceptions: true + updaterequests: true + validatingpolicies: true + + # -- Install CRDs in group `policies.kyverno.io` + policies: + validatingpolicies: true + policyexceptions: true + imagevalidatingpolicies: true + + # -- Install CRDs in group `reports.kyverno.io` + reports: + clusterephemeralreports: true + ephemeralreports: true + + # -- Install CRDs in group `wgpolicyk8s.io` + wgpolicyk8s: + clusterpolicyreports: true + policyreports: true + + # -- Additional CRDs annotations + annotations: {} + # argocd.argoproj.io/sync-options: Replace=true + # strategy.spinnaker.io/replace: 'true' + + # -- Additional CRDs labels + customLabels: {} + + migration: + + # -- Enable CRDs migration using helm post upgrade hook + enabled: true + + # -- Resources to migrate + resources: + - cleanuppolicies.kyverno.io + - clustercleanuppolicies.kyverno.io + - clusterpolicies.kyverno.io + - globalcontextentries.kyverno.io + - policies.kyverno.io + - policyexceptions.kyverno.io + - updaterequests.kyverno.io + + image: + # -- (string) Image registry + registry: ~ + defaultRegistry: reg.kyverno.io + # -- (string) Image repository + repository: kyverno/kyverno-cli + # -- (string) Image tag + # Defaults to appVersion in Chart.yaml if omitted + tag: ~ + # -- (string) Image pull policy + pullPolicy: IfNotPresent + + # -- Image pull secrets + imagePullSecrets: [] + # - name: secretName + + # -- Security context for the pod + podSecurityContext: {} + + # -- Node labels for pod assignment + nodeSelector: {} + + # -- List of node taints to tolerate + tolerations: [] + + # -- Pod anti affinity constraints. + podAntiAffinity: {} + + # -- Pod affinity constraints. + podAffinity: {} + + # -- Pod labels. + podLabels: {} + + # -- Pod annotations. + podAnnotations: {} + + # -- Node affinity constraints. + nodeAffinity: {} + + # -- Security context for the hook containers + securityContext: + runAsUser: 65534 + runAsGroup: 65534 + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + + podResources: + # -- Pod resource limits + limits: + cpu: 100m + memory: 256Mi + # -- Pod resource requests + requests: + cpu: 10m + memory: 64Mi + +# Configuration +config: + + # -- Create the configmap. + create: true + + # -- Preserve the configmap settings during upgrade. + preserve: true + + # -- (string) The configmap name (required if `create` is `false`). + name: ~ + + # -- Additional annotations to add to the configmap. + annotations: {} + + # -- Enable registry mutation for container images. Enabled by default. + enableDefaultRegistryMutation: true + + # -- The registry hostname used for the image mutation. + defaultRegistry: docker.io + + # -- Exclude groups + excludeGroups: + - system:nodes + + # -- Exclude usernames + excludeUsernames: [] + # - '!system:kube-scheduler' + + # -- Exclude roles + excludeRoles: [] + + # -- Exclude roles + excludeClusterRoles: [] + + # -- Generate success events. + generateSuccessEvents: false + + # -- Resource types to be skipped by the Kyverno policy engine. + # Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. + # These are joined together without spaces, run through `tpl`, and the result is set in the config map. + # @default -- See [values.yaml](values.yaml) + resourceFilters: + - '[Event,*,*]' + - '[*/*,kube-system,*]' + - '[*/*,kube-public,*]' + - '[*/*,kube-node-lease,*]' + - '[Node,*,*]' + - '[Node/*,*,*]' + - '[APIService,*,*]' + - '[APIService/*,*,*]' + - '[TokenReview,*,*]' + - '[SubjectAccessReview,*,*]' + - '[SelfSubjectAccessReview,*,*]' + - '[Binding,*,*]' + - '[Pod/binding,*,*]' + - '[ReplicaSet,*,*]' + - '[ReplicaSet/*,*,*]' + - '[EphemeralReport,*,*]' + - '[ClusterEphemeralReport,*,*]' + # exclude resources from the chart + - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]' + - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]' + - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:additional]' + - '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}]' + - '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:core]' + - '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:additional]' + - '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}]' + - '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:core]' + - '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:additional]' + - '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}]' + - '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:core]' + - '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:additional]' + - '[ClusterRoleBinding,*,{{ template "kyverno.admission-controller.roleName" . }}]' + - '[ClusterRoleBinding,*,{{ template "kyverno.background-controller.roleName" . }}]' + - '[ClusterRoleBinding,*,{{ template "kyverno.cleanup-controller.roleName" . }}]' + - '[ClusterRoleBinding,*,{{ template "kyverno.reports-controller.roleName" . }}]' + - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]' + - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]' + - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]' + - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]' + - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]' + - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]' + - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]' + - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]' + - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]' + - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]' + - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]' + - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]' + - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]' + - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]' + - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]' + - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]' + - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]' + - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]' + - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' + - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' + - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' + - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' + - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' + - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' + - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' + - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' + - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]' + - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]' + - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]' + - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]' + - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]' + - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]' + - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]' + - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]' + - '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]' + - '[Job/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]' + - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' + - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' + - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' + - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' + - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' + - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' + - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' + - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' + - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' + - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' + - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' + - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' + - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' + - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' + - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' + - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' + - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]' + - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]' + - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]' + - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]' + - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]' + - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]' + - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' + - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' + - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]' + - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]' + - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]' + - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]' + - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.name" . }}]' + - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.background-controller.name" . }}]' + - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.cleanup-controller.name" . }}]' + - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.reports-controller.name" . }}]' + - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]' + - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]' + + # -- Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies. + updateRequestThreshold: 1000 + + # -- Defines the `namespaceSelector`/`objectSelector` in the webhook configurations. + # The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) + webhooks: + # Exclude namespaces + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system + # Exclude objects + # - objectSelector: + # matchExpressions: + # - key: webhooks.kyverno.io/exclude + # operator: DoesNotExist + + # -- Defines annotations to set on webhook configurations. + webhookAnnotations: + # Example to disable admission enforcer on AKS: + 'admissions.enforcer/disabled': 'true' + + # -- Defines labels to set on webhook configurations. + webhookLabels: {} + # Example to adopt webhook resources in ArgoCD: + # 'argocd.argoproj.io/instance': 'kyverno' + + # -- Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+). + matchConditions: [] + + # -- Exclude Kyverno namespace + # Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters + excludeKyvernoNamespace: true + + # -- resourceFilter namespace exclude + # Namespaces to exclude from the default resourceFilters + resourceFiltersExcludeNamespaces: [] + + # -- resourceFilters exclude list + # Items to exclude from config.resourceFilters + resourceFiltersExclude: [] + + # -- resourceFilter namespace include + # Namespaces to include to the default resourceFilters + resourceFiltersIncludeNamespaces: [] + + # -- resourceFilters include list + # Items to include to config.resourceFilters + resourceFiltersInclude: [] + +# Metrics configuration +metricsConfig: + + # -- Create the configmap. + create: true + + # -- (string) The configmap name (required if `create` is `false`). + name: ~ + + # -- Additional annotations to add to the configmap. + annotations: {} + + namespaces: + + # -- List of namespaces to capture metrics for. + include: [] + + # -- list of namespaces to NOT capture metrics for. + exclude: [] + + # -- (string) Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics. WARNING: This flag is not working since Kyverno 1.8.0 + metricsRefreshInterval: ~ + # metricsRefreshInterval: 24h + + # -- (list) Configures the bucket boundaries for all Histogram metrics, changing this configuration requires restart of the kyverno admission controller + bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 15, 20, 25, 30] + + # -- (map) Configures the exposure of individual metrics, by default all metrics and all labels are exported, changing this configuration requires restart of the kyverno admission controller + metricsExposure: + kyverno_policy_execution_duration_seconds: + # bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5] + disabledLabelDimensions: ["resource_namespace", "resource_request_operation"] + kyverno_admission_review_duration_seconds: + # enabled: false + disabledLabelDimensions: ["resource_namespace"] + kyverno_policy_rule_info_total: + disabledLabelDimensions: ["resource_namespace", "policy_namespace"] + kyverno_policy_results_total: + disabledLabelDimensions: ["resource_namespace", "policy_namespace"] + kyverno_admission_requests_total: + disabledLabelDimensions: ["resource_namespace"] + kyverno_cleanup_controller_deletedobjects_total: + disabledLabelDimensions: ["resource_namespace", "policy_namespace"] + +# -- Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument +imagePullSecrets: {} + # regcred: + # registry: foo.example.com + # username: foobar + # password: secret + # regcred2: + # registry: bar.example.com + # username: barbaz + # password: secret2 + +# -- Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument +existingImagePullSecrets: [] + # - test-registry + # - other-test-registry + +# Tests configuration +test: + # -- Sleep time before running test + sleep: 20 + + image: + # -- (string) Image registry + registry: ~ + # -- Image repository + repository: busybox + # -- Image tag + # Defaults to `latest` if omitted + tag: '1.35' + # -- (string) Image pull policy + # Defaults to image.pullPolicy if omitted + pullPolicy: ~ + + # -- Image pull secrets + imagePullSecrets: [] + # - name: secretName + + resources: + # -- Pod resource limits + limits: + cpu: 100m + memory: 256Mi + # -- Pod resource requests + requests: + cpu: 10m + memory: 64Mi + + # -- Security context for the test containers + securityContext: + runAsUser: 65534 + runAsGroup: 65534 + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + +# -- Additional labels +customLabels: {} + +webhooksCleanup: + # -- Create a helm pre-delete hook to cleanup webhooks. + enabled: true + + autoDeleteWebhooks: + # -- Allow webhooks controller to delete webhooks using finalizers + enabled: false + + image: + # -- (string) Image registry + registry: ~ + # -- Image repository + repository: bitnami/kubectl + # -- Image tag + # Defaults to `latest` if omitted + tag: '1.32.3' + # -- (string) Image pull policy + # Defaults to image.pullPolicy if omitted + pullPolicy: ~ + + # -- Image pull secrets + imagePullSecrets: [] + + # -- Security context for the pod + podSecurityContext: {} + + # -- Node labels for pod assignment + nodeSelector: {} + + # -- List of node taints to tolerate + tolerations: [] + + # -- Pod anti affinity constraints. + podAntiAffinity: {} + + # -- Pod affinity constraints. + podAffinity: {} + + # -- Pod labels. + podLabels: {} + + # -- Pod annotations. + podAnnotations: {} + + # -- Node affinity constraints. + nodeAffinity: {} + + # -- Security context for the hook containers + securityContext: + runAsUser: 65534 + runAsGroup: 65534 + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + + resources: + # -- Pod resource limits + limits: + cpu: 100m + memory: 256Mi + # -- Pod resource requests + requests: + cpu: 10m + memory: 64Mi + +policyReportsCleanup: + # -- Create a helm post-upgrade hook to cleanup the old policy reports. + enabled: true + + image: + # -- (string) Image registry + registry: ~ + # -- Image repository + repository: bitnami/kubectl + # -- Image tag + # Defaults to `latest` if omitted + tag: '1.32.3' + # -- (string) Image pull policy + # Defaults to image.pullPolicy if omitted + pullPolicy: ~ + + # -- Image pull secrets + imagePullSecrets: [] + # - name: secretName + + # -- Security context for the pod + podSecurityContext: {} + + # -- Node labels for pod assignment + nodeSelector: {} + + # -- List of node taints to tolerate + tolerations: [] + + # -- Pod anti affinity constraints. + podAntiAffinity: {} + + # -- Pod affinity constraints. + podAffinity: {} + + # -- Pod labels. + podLabels: {} + + # -- Pod annotations. + podAnnotations: {} + + # -- Node affinity constraints. + nodeAffinity: {} + + # -- Security context for the hook containers + securityContext: + runAsUser: 65534 + runAsGroup: 65534 + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + + resources: + # -- Pod resource limits + limits: + cpu: 100m + memory: 256Mi + # -- Pod resource requests + requests: + cpu: 10m + memory: 64Mi + +grafana: + # -- Enable grafana dashboard creation. + enabled: false + + # -- Configmap name template. + configMapName: '{{ include "kyverno.fullname" . }}-grafana' + + # -- (string) Namespace to create the grafana dashboard configmap. + # If not set, it will be created in the same namespace where the chart is deployed. + namespace: ~ + + # -- Grafana dashboard configmap annotations. + annotations: {} + + # -- Grafana dashboard configmap labels + labels: + grafana_dashboard: "1" + + # -- create GrafanaDashboard custom resource referencing to the configMap. + # according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/ + grafanaDashboard: + create: false + folder: kyverno + allowCrossNamespaceImport: true + matchLabels: + dashboards: "grafana" + +# Features configuration +features: + admissionReports: + # -- Enables the feature + enabled: true + aggregateReports: + # -- Enables the feature + enabled: true + policyReports: + # -- Enables the feature + enabled: true + validatingAdmissionPolicyReports: + # -- Enables the feature + enabled: false + reporting: + # -- Enables the feature + validate: true + # -- Enables the feature + mutate: true + # -- Enables the feature + mutateExisting: true + # -- Enables the feature + imageVerify: true + # -- Enables the feature + generate: true + autoUpdateWebhooks: + # -- Enables the feature + enabled: true + backgroundScan: + # -- Enables the feature + enabled: true + # -- Number of background scan workers + backgroundScanWorkers: 2 + # -- Background scan interval + backgroundScanInterval: 1h + # -- Skips resource filters in background scan + skipResourceFilters: true + configMapCaching: + # -- Enables the feature + enabled: true + deferredLoading: + # -- Enables the feature + enabled: true + dumpPayload: + # -- Enables the feature + enabled: false + forceFailurePolicyIgnore: + # -- Enables the feature + enabled: false + generateValidatingAdmissionPolicy: + # -- Enables the feature + enabled: false + dumpPatches: + # -- Enables the feature + enabled: false + globalContext: + # -- Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended) + maxApiCallResponseLength: 2000000 + logging: + # -- Logging format + format: text + # -- Logging verbosity + verbosity: 2 + omitEvents: + # -- Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`) + eventTypes: + - PolicyApplied + - PolicySkipped + # - PolicyViolation + # - PolicyError + policyExceptions: + # -- Enables the feature + enabled: false + # -- Restrict policy exceptions to a single namespace + # Set to "*" to allow exceptions in all namespaces + namespace: '' + protectManagedResources: + # -- Enables the feature + enabled: false + registryClient: + # -- Allow insecure registry + allowInsecure: false + # -- Enable registry client helpers + credentialHelpers: + - default + - google + - amazon + - azure + - github + ttlController: + # -- Reconciliation interval for the label based cleanup manager + reconciliationInterval: 1m + tuf: + # -- Enables the feature + enabled: false + # -- (string) Path to Tuf root + root: ~ + # -- (string) Raw Tuf root + rootRaw: ~ + # -- (string) Tuf mirror + mirror: ~ + +# Admission controller configuration +admissionController: + autoscaling: + # -- Enable horizontal pod autoscaling + enabled: false + + # -- Minimum number of pods + minReplicas: 1 + + # -- Maximum number of pods + maxReplicas: 10 + + # -- Target CPU utilization percentage + targetCPUUtilizationPercentage: 80 + + # -- Configurable scaling behavior + behavior: {} + + # -- Overrides features defined at the root level + featuresOverride: + admissionReports: + # -- Max number of admission reports allowed in flight until the admission controller stops creating new ones + backPressureThreshold: 1000 + + rbac: + # -- Create RBAC resources + create: true + + # -- Create rolebinding to view role + createViewRoleBinding: true + + # -- The view role to use in the rolebinding + viewRoleName: view + + serviceAccount: + # -- The ServiceAccount name + name: + + # -- Annotations for the ServiceAccount + annotations: {} + # example.com/annotation: value + + coreClusterRole: + # -- Extra resource permissions to add in the core cluster role. + # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. + # @default -- See [values.yaml](values.yaml) + extraResources: [] + + clusterRole: + # -- Extra resource permissions to add in the cluster role + extraResources: [] + # - apiGroups: + # - '' + # resources: + # - pods + # verbs: + # - create + # - update + # - delete + + # -- Create self-signed certificates at deployment time. + # The certificates won't be automatically renewed if this is set to `true`. + createSelfSignedCert: false + + # -- (int) Desired number of pods + replicas: ~ + + # -- The number of revisions to keep + revisionHistoryLimit: 10 + + # -- Resync period for informers + resyncPeriod: 15m + + # -- Additional labels to add to each pod + podLabels: {} + # example.com/label: foo + + # -- Additional annotations to add to each pod + podAnnotations: {} + # example.com/annotation: foo + + # -- Deployment annotations. + annotations: {} + + # -- Deployment update strategy. + # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + # @default -- See [values.yaml](values.yaml) + updateStrategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 40% + type: RollingUpdate + + # -- Optional priority class + priorityClassName: '' + + # -- Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno admission controller activities. + # This will help ensure Kyverno stability in busy clusters. + # Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/ + apiPriorityAndFairness: false + + # -- Priority level configuration. + # The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want. + # ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration + # @default -- See [values.yaml](values.yaml) + priorityLevelConfigurationSpec: + type: Limited + limited: + nominalConcurrencyShares: 10 + limitResponse: + queuing: + queueLengthLimit: 50 + type: Queue + + # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. + # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. + # Update the `dnsPolicy` accordingly as well to suit the host network mode. + hostNetwork: false + + # -- admissionController webhook server port + # in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to + webhookServer: + port: 9443 + + # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. + # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. + # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. + dnsPolicy: ClusterFirst + + # -- `dnsConfig` allows to specify DNS configuration for the pod. + # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config. + dnsConfig: {} + # options: + # - name: ndots + # value: "2" + + # -- Startup probe. + # The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + # @default -- See [values.yaml](values.yaml) + startupProbe: + httpGet: + path: /health/liveness + port: 9443 + scheme: HTTPS + failureThreshold: 20 + initialDelaySeconds: 2 + periodSeconds: 6 + + # -- Liveness probe. + # The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + # @default -- See [values.yaml](values.yaml) + livenessProbe: + httpGet: + path: /health/liveness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 2 + successThreshold: 1 + + # -- Readiness Probe. + # The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + # @default -- See [values.yaml](values.yaml) + readinessProbe: + httpGet: + path: /health/readiness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + # -- Node labels for pod assignment + nodeSelector: {} + + # -- List of node taints to tolerate + tolerations: [] + + antiAffinity: + # -- Pod antiAffinities toggle. + # Enabled by default but can be disabled if you want to schedule pods to the same node. + enabled: true + + # -- Pod anti affinity constraints. + # @default -- See [values.yaml](values.yaml) + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - admission-controller + topologyKey: kubernetes.io/hostname + + # -- Pod affinity constraints. + podAffinity: {} + + # -- Node affinity constraints. + nodeAffinity: {} + + # -- Topology spread constraints. + topologySpreadConstraints: [] + + # -- Security context for the pod + podSecurityContext: {} + + podDisruptionBudget: + # -- Enable PodDisruptionBudget. + # Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. + enabled: false + # -- Configures the minimum available pods for disruptions. + # Cannot be used if `maxUnavailable` is set. + minAvailable: 1 + # -- Configures the maximum unavailable pods for disruptions. + # Cannot be used if `minAvailable` is set. + maxUnavailable: + + # -- A writable volume to use for the TUF root initialization. + tufRootMountPath: /.sigstore + + # -- Volume to be mounted in pods for TUF/cosign work. + sigstoreVolume: + emptyDir: {} + + caCertificates: + # -- CA certificates to use with Kyverno deployments + # This value is expected to be one large string of CA certificates + data: ~ + # -- Volume to be mounted for CA certificates + # Not used when `.Values.admissionController.caCertificates.data` is defined + volume: {} + # Example to use hostPath: + # hostPath: + # path: /etc/pki/tls/ca-certificates.crt + # type: File + + # -- Image pull secrets + imagePullSecrets: [] + # - secretName + + initContainer: + + image: + # -- Image registry + registry: ~ + defaultRegistry: reg.kyverno.io + # -- Image repository + repository: kyverno/kyvernopre + # -- (string) Image tag + # If missing, defaults to image.tag + tag: ~ + # -- (string) Image pull policy + # If missing, defaults to image.pullPolicy + pullPolicy: ~ + + resources: + # -- Pod resource limits + limits: + cpu: 100m + memory: 256Mi + # -- Pod resource requests + requests: + cpu: 10m + memory: 64Mi + + # -- Container security context + securityContext: + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + + # -- Additional container args. + extraArgs: {} + + # -- Additional container environment variables. + extraEnvVars: [] + # Example setting proxy + # extraEnvVars: + # - name: HTTPS_PROXY + # value: 'https://proxy.example.com:3128' + + container: + + image: + # -- Image registry + registry: ~ + defaultRegistry: reg.kyverno.io + # -- Image repository + repository: kyverno/kyverno + # -- (string) Image tag + # Defaults to appVersion in Chart.yaml if omitted + tag: ~ + # -- Image pull policy + pullPolicy: IfNotPresent + + resources: + # -- Pod resource limits + limits: + memory: 384Mi + # -- Pod resource requests + requests: + cpu: 100m + memory: 128Mi + + # -- Container security context + securityContext: + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + + # -- Additional container args. + extraArgs: {} + + # -- Additional container environment variables. + extraEnvVars: [] + # Example setting proxy + # extraEnvVars: + # - name: HTTPS_PROXY + # value: 'https://proxy.example.com:3128' + + # -- Array of extra init containers + extraInitContainers: [] + # - name: init-container + # image: busybox + # command: ['sh', '-c', 'echo Hello'] + + # -- Array of extra containers to run alongside kyverno + extraContainers: [] + # - name: myapp-container + # image: busybox + # command: ['sh', '-c', 'echo Hello && sleep 3600'] + + service: + # -- Service port. + port: 443 + # -- Service type. + type: ClusterIP + # -- Service node port. + # Only used if `type` is `NodePort`. + nodePort: + # -- Service annotations. + annotations: {} + + metricsService: + # -- Create service. + create: true + # -- Service port. + # Kyverno's metrics server will be exposed at this port. + port: 8000 + # -- Service type. + type: ClusterIP + # -- Service node port. + # Only used if `type` is `NodePort`. + nodePort: + # -- Service annotations. + annotations: {} + + networkPolicy: + # -- When true, use a NetworkPolicy to allow ingress to the webhook + # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. + enabled: false + # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. + ingressFrom: [] + + serviceMonitor: + # -- Create a `ServiceMonitor` to collect Prometheus metrics. + enabled: false + # -- Additional labels + additionalLabels: {} + # -- (string) Override namespace + namespace: ~ + # -- Interval to scrape metrics + interval: 30s + # -- Timeout if metrics can't be retrieved in given time interval + scrapeTimeout: 25s + # -- Is TLS required for endpoint + secure: false + # -- TLS Configuration for endpoint + tlsConfig: {} + # -- RelabelConfigs to apply to samples before scraping + relabelings: [] + # -- MetricRelabelConfigs to apply to samples before ingestion. + metricRelabelings: [] + + tracing: + # -- Enable tracing + enabled: false + # -- Traces receiver address + address: + # -- Traces receiver port + port: + # -- Traces receiver credentials + creds: '' + + metering: + # -- Disable metrics export + disabled: false + # -- Otel configuration, can be `prometheus` or `grpc` + config: prometheus + # -- Prometheus endpoint port + port: 8000 + # -- Otel collector endpoint + collector: '' + # -- Otel collector credentials + creds: '' + + profiling: + # -- Enable profiling + enabled: false + # -- Profiling endpoint port + port: 6060 + # -- Service type. + serviceType: ClusterIP + # -- Service node port. + # Only used if `type` is `NodePort`. + nodePort: + +# Background controller configuration +backgroundController: + + # -- Overrides features defined at the root level + featuresOverride: {} + + # -- Enable background controller. + enabled: true + + rbac: + # -- Create RBAC resources + create: true + + # -- Create rolebinding to view role + createViewRoleBinding: true + + # -- The view role to use in the rolebinding + viewRoleName: view + + serviceAccount: + # -- Service account name + name: + + # -- Annotations for the ServiceAccount + annotations: {} + # example.com/annotation: value + + coreClusterRole: + # -- Extra resource permissions to add in the core cluster role. + # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. + # @default -- See [values.yaml](values.yaml) + extraResources: + - apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + - networkpolicies + verbs: + - create + - update + - patch + - delete + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - update + - patch + - delete + - apiGroups: + - '' + resources: + - configmaps + - resourcequotas + - limitranges + verbs: + - create + - update + - patch + - delete + + clusterRole: + # -- Extra resource permissions to add in the cluster role + extraResources: [] + # - apiGroups: + # - '' + # resources: + # - pods + # verbs: + # - create + # - update + # - delete + # - patch + + image: + # -- Image registry + registry: ~ + defaultRegistry: reg.kyverno.io + # -- Image repository + repository: kyverno/background-controller + # -- Image tag + # Defaults to appVersion in Chart.yaml if omitted + tag: ~ + # -- Image pull policy + pullPolicy: IfNotPresent + + # -- Image pull secrets + imagePullSecrets: [] + # - secretName + + # -- (int) Desired number of pods + replicas: ~ + + # -- The number of revisions to keep + revisionHistoryLimit: 10 + + # -- Resync period for informers + resyncPeriod: 15m + + # -- Additional labels to add to each pod + podLabels: {} + # example.com/label: foo + + # -- Additional annotations to add to each pod + podAnnotations: {} + # example.com/annotation: foo + + # -- Deployment annotations. + annotations: {} + + # -- Deployment update strategy. + # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + # @default -- See [values.yaml](values.yaml) + updateStrategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 40% + type: RollingUpdate + + # -- Optional priority class + priorityClassName: '' + + # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. + # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. + # Update the `dnsPolicy` accordingly as well to suit the host network mode. + hostNetwork: false + + # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. + # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. + # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. + dnsPolicy: ClusterFirst + + # -- `dnsConfig` allows to specify DNS configuration for the pod. + # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config. + dnsConfig: {} + # options: + # - name: ndots + # value: "2" + + # -- Extra arguments passed to the container on the command line + extraArgs: {} + + # -- Additional container environment variables. + extraEnvVars: [] + # Example setting proxy + # extraEnvVars: + # - name: HTTPS_PROXY + # value: 'https://proxy.example.com:3128' + + resources: + # -- Pod resource limits + limits: + memory: 128Mi + # -- Pod resource requests + requests: + cpu: 100m + memory: 64Mi + + # -- Node labels for pod assignment + nodeSelector: {} + + # -- List of node taints to tolerate + tolerations: [] + + antiAffinity: + # -- Pod antiAffinities toggle. + # Enabled by default but can be disabled if you want to schedule pods to the same node. + enabled: true + + # -- Pod anti affinity constraints. + # @default -- See [values.yaml](values.yaml) + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - background-controller + topologyKey: kubernetes.io/hostname + + # -- Pod affinity constraints. + podAffinity: {} + + # -- Node affinity constraints. + nodeAffinity: {} + + # -- Topology spread constraints. + topologySpreadConstraints: [] + + # -- Security context for the pod + podSecurityContext: {} + + # -- Security context for the containers + securityContext: + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + + podDisruptionBudget: + # -- Enable PodDisruptionBudget. + # Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. + enabled: false + # -- Configures the minimum available pods for disruptions. + # Cannot be used if `maxUnavailable` is set. + minAvailable: 1 + # -- Configures the maximum unavailable pods for disruptions. + # Cannot be used if `minAvailable` is set. + maxUnavailable: + + caCertificates: + # -- CA certificates to use with Kyverno deployments + # This value is expected to be one large string of CA certificates + data: ~ + # -- Volume to be mounted for CA certificates + # Not used when `.Values.backgroundController.caCertificates.data` is defined + volume: {} + # Example to use hostPath: + # hostPath: + # path: /etc/pki/tls/ca-certificates.crt + # type: File + + metricsService: + # -- Create service. + create: true + # -- Service port. + # Metrics server will be exposed at this port. + port: 8000 + # -- Service type. + type: ClusterIP + # -- Service node port. + # Only used if `metricsService.type` is `NodePort`. + nodePort: + # -- Service annotations. + annotations: {} + + networkPolicy: + + # -- When true, use a NetworkPolicy to allow ingress to the webhook + # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. + enabled: false + + # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. + ingressFrom: [] + + serviceMonitor: + # -- Create a `ServiceMonitor` to collect Prometheus metrics. + enabled: false + # -- Additional labels + additionalLabels: {} + # -- (string) Override namespace + namespace: ~ + # -- Interval to scrape metrics + interval: 30s + # -- Timeout if metrics can't be retrieved in given time interval + scrapeTimeout: 25s + # -- Is TLS required for endpoint + secure: false + # -- TLS Configuration for endpoint + tlsConfig: {} + # -- RelabelConfigs to apply to samples before scraping + relabelings: [] + # -- MetricRelabelConfigs to apply to samples before ingestion. + metricRelabelings: [] + + tracing: + # -- Enable tracing + enabled: false + # -- Traces receiver address + address: + # -- Traces receiver port + port: + # -- Traces receiver credentials + creds: '' + + metering: + # -- Disable metrics export + disabled: false + # -- Otel configuration, can be `prometheus` or `grpc` + config: prometheus + # -- Prometheus endpoint port + port: 8000 + # -- Otel collector endpoint + collector: '' + # -- Otel collector credentials + creds: '' + + # -- backgroundController server port + # in case you are using hostNetwork: true, you might want to change the port the backgroundController is listening to + server: + port: 9443 + + profiling: + # -- Enable profiling + enabled: false + # -- Profiling endpoint port + port: 6060 + # -- Service type. + serviceType: ClusterIP + # -- Service node port. + # Only used if `type` is `NodePort`. + nodePort: + +# Cleanup controller configuration +cleanupController: + + # -- Overrides features defined at the root level + featuresOverride: {} + + # -- Enable cleanup controller. + enabled: true + + rbac: + # -- Create RBAC resources + create: true + + serviceAccount: + # -- Service account name + name: + + # -- Annotations for the ServiceAccount + annotations: {} + # example.com/annotation: value + + clusterRole: + # -- Extra resource permissions to add in the cluster role + extraResources: [] + # - apiGroups: + # - '' + # resources: + # - pods + # verbs: + # - delete + # - list + # - watch + + # -- Create self-signed certificates at deployment time. + # The certificates won't be automatically renewed if this is set to `true`. + createSelfSignedCert: false + + image: + # -- Image registry + registry: ~ + defaultRegistry: reg.kyverno.io + # -- Image repository + repository: kyverno/cleanup-controller + # -- (string) Image tag + # Defaults to appVersion in Chart.yaml if omitted + tag: ~ + # -- Image pull policy + pullPolicy: IfNotPresent + + # -- Image pull secrets + imagePullSecrets: [] + # - secretName + + # -- (int) Desired number of pods + replicas: ~ + + # -- The number of revisions to keep + revisionHistoryLimit: 10 + + # -- Resync period for informers + resyncPeriod: 15m + + # -- Additional labels to add to each pod + podLabels: {} + # example.com/label: foo + + # -- Additional annotations to add to each pod + podAnnotations: {} + # example.com/annotation: foo + + # -- Deployment annotations. + annotations: {} + + # -- Deployment update strategy. + # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + # @default -- See [values.yaml](values.yaml) + updateStrategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 40% + type: RollingUpdate + + # -- Optional priority class + priorityClassName: '' + + # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. + # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. + # Update the `dnsPolicy` accordingly as well to suit the host network mode. + hostNetwork: false + + # -- cleanupController server port + # in case you are using hostNetwork: true, you might want to change the port the cleanupController is listening to + server: + port: 9443 + # -- cleanupController webhook server port + # in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to + webhookServer: + port: 9443 + + # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. + # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. + # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. + dnsPolicy: ClusterFirst + + # -- `dnsConfig` allows to specify DNS configuration for the pod. + # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config. + dnsConfig: {} + # options: + # - name: ndots + # value: "2" + + # -- Extra arguments passed to the container on the command line + extraArgs: {} + + # -- Additional container environment variables. + extraEnvVars: [] + # Example setting proxy + # extraEnvVars: + # - name: HTTPS_PROXY + # value: 'https://proxy.example.com:3128' + + resources: + # -- Pod resource limits + limits: + memory: 128Mi + # -- Pod resource requests + requests: + cpu: 100m + memory: 64Mi + + # -- Startup probe. + # The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + # @default -- See [values.yaml](values.yaml) + startupProbe: + httpGet: + path: /health/liveness + port: 9443 + scheme: HTTPS + failureThreshold: 20 + initialDelaySeconds: 2 + periodSeconds: 6 + + # -- Liveness probe. + # The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + # @default -- See [values.yaml](values.yaml) + livenessProbe: + httpGet: + path: /health/liveness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 2 + successThreshold: 1 + + # -- Readiness Probe. + # The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + # @default -- See [values.yaml](values.yaml) + readinessProbe: + httpGet: + path: /health/readiness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + # -- Node labels for pod assignment + nodeSelector: {} + + # -- List of node taints to tolerate + tolerations: [] + + antiAffinity: + # -- Pod antiAffinities toggle. + # Enabled by default but can be disabled if you want to schedule pods to the same node. + enabled: true + + # -- Pod anti affinity constraints. + # @default -- See [values.yaml](values.yaml) + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - cleanup-controller + topologyKey: kubernetes.io/hostname + + # -- Pod affinity constraints. + podAffinity: {} + + # -- Node affinity constraints. + nodeAffinity: {} + + # -- Topology spread constraints. + topologySpreadConstraints: [] + + # -- Security context for the pod + podSecurityContext: {} + + # -- Security context for the containers + securityContext: + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + + podDisruptionBudget: + # -- Enable PodDisruptionBudget. + # Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. + enabled: false + # -- Configures the minimum available pods for disruptions. + # Cannot be used if `maxUnavailable` is set. + minAvailable: 1 + # -- Configures the maximum unavailable pods for disruptions. + # Cannot be used if `minAvailable` is set. + maxUnavailable: + + service: + # -- Service port. + port: 443 + # -- Service type. + type: ClusterIP + # -- Service node port. + # Only used if `service.type` is `NodePort`. + nodePort: + # -- Service annotations. + annotations: {} + + metricsService: + # -- Create service. + create: true + # -- Service port. + # Metrics server will be exposed at this port. + port: 8000 + # -- Service type. + type: ClusterIP + # -- Service node port. + # Only used if `metricsService.type` is `NodePort`. + nodePort: + # -- Service annotations. + annotations: {} + + networkPolicy: + + # -- When true, use a NetworkPolicy to allow ingress to the webhook + # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. + enabled: false + + # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. + ingressFrom: [] + + serviceMonitor: + # -- Create a `ServiceMonitor` to collect Prometheus metrics. + enabled: false + # -- Additional labels + additionalLabels: {} + # -- (string) Override namespace + namespace: ~ + # -- Interval to scrape metrics + interval: 30s + # -- Timeout if metrics can't be retrieved in given time interval + scrapeTimeout: 25s + # -- Is TLS required for endpoint + secure: false + # -- TLS Configuration for endpoint + tlsConfig: {} + # -- RelabelConfigs to apply to samples before scraping + relabelings: [] + # -- MetricRelabelConfigs to apply to samples before ingestion. + metricRelabelings: [] + + tracing: + # -- Enable tracing + enabled: false + # -- Traces receiver address + address: + # -- Traces receiver port + port: + # -- Traces receiver credentials + creds: '' + + metering: + # -- Disable metrics export + disabled: false + # -- Otel configuration, can be `prometheus` or `grpc` + config: prometheus + # -- Prometheus endpoint port + port: 8000 + # -- Otel collector endpoint + collector: '' + # -- Otel collector credentials + creds: '' + + profiling: + # -- Enable profiling + enabled: false + # -- Profiling endpoint port + port: 6060 + # -- Service type. + serviceType: ClusterIP + # -- Service node port. + # Only used if `type` is `NodePort`. + nodePort: + +# Reports controller configuration +reportsController: + + # -- Overrides features defined at the root level + featuresOverride: {} + + # -- Enable reports controller. + enabled: true + + rbac: + # -- Create RBAC resources + create: true + + # -- Create rolebinding to view role + createViewRoleBinding: true + + # -- The view role to use in the rolebinding + viewRoleName: view + + serviceAccount: + # -- Service account name + name: + + # -- Annotations for the ServiceAccount + annotations: {} + # example.com/annotation: value + + coreClusterRole: + # -- Extra resource permissions to add in the core cluster role. + # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. + # @default -- See [values.yaml](values.yaml) + extraResources: [] + + clusterRole: + # -- Extra resource permissions to add in the cluster role + extraResources: [] + # - apiGroups: + # - '' + # resources: + # - pods + + image: + # -- Image registry + registry: ~ + defaultRegistry: reg.kyverno.io + # -- Image repository + repository: kyverno/reports-controller + # -- (string) Image tag + # Defaults to appVersion in Chart.yaml if omitted + tag: ~ + # -- Image pull policy + pullPolicy: IfNotPresent + + # -- Image pull secrets + imagePullSecrets: [] + # - secretName + + # -- (int) Desired number of pods + replicas: ~ + + # -- The number of revisions to keep + revisionHistoryLimit: 10 + + # -- Resync period for informers + resyncPeriod: 15m + + # -- Additional labels to add to each pod + podLabels: {} + # example.com/label: foo + + # -- Additional annotations to add to each pod + podAnnotations: {} + # example.com/annotation: foo + + # -- Deployment annotations. + annotations: {} + + # -- Deployment update strategy. + # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + # @default -- See [values.yaml](values.yaml) + updateStrategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 40% + type: RollingUpdate + + # -- Optional priority class + priorityClassName: '' + + # -- Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno reports controller activities. + # This will help ensure Kyverno reports stability in busy clusters. + # Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/ + apiPriorityAndFairness: false + + # -- Priority level configuration. + # The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want. + # ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration + # @default -- See [values.yaml](values.yaml) + priorityLevelConfigurationSpec: + type: Limited + limited: + nominalConcurrencyShares: 10 + limitResponse: + queuing: + queueLengthLimit: 50 + type: Queue + + # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. + # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. + # Update the `dnsPolicy` accordingly as well to suit the host network mode. + hostNetwork: false + + # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. + # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. + # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. + dnsPolicy: ClusterFirst + + # -- `dnsConfig` allows to specify DNS configuration for the pod. + # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config. + dnsConfig: {} + # options: + # - name: ndots + # value: "2" + + # -- Extra arguments passed to the container on the command line + extraArgs: {} + + # -- Additional container environment variables. + extraEnvVars: [] + # Example setting proxy + # extraEnvVars: + # - name: HTTPS_PROXY + # value: 'https://proxy.example.com:3128' + + resources: + # -- Pod resource limits + limits: + memory: 128Mi + # -- Pod resource requests + requests: + cpu: 100m + memory: 64Mi + + # -- Node labels for pod assignment + nodeSelector: {} + + # -- List of node taints to tolerate + tolerations: [] + + antiAffinity: + # -- Pod antiAffinities toggle. + # Enabled by default but can be disabled if you want to schedule pods to the same node. + enabled: true + + # -- Pod anti affinity constraints. + # @default -- See [values.yaml](values.yaml) + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - reports-controller + topologyKey: kubernetes.io/hostname + + # -- Pod affinity constraints. + podAffinity: {} + + # -- Node affinity constraints. + nodeAffinity: {} + + # -- Topology spread constraints. + topologySpreadConstraints: [] + + # -- Security context for the pod + podSecurityContext: {} + + # -- Security context for the containers + securityContext: + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + + podDisruptionBudget: + # -- Enable PodDisruptionBudget. + # Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. + enabled: false + # -- Configures the minimum available pods for disruptions. + # Cannot be used if `maxUnavailable` is set. + minAvailable: 1 + # -- Configures the maximum unavailable pods for disruptions. + # Cannot be used if `minAvailable` is set. + maxUnavailable: + + # -- A writable volume to use for the TUF root initialization. + tufRootMountPath: /.sigstore + + # -- Volume to be mounted in pods for TUF/cosign work. + sigstoreVolume: + emptyDir: {} + + caCertificates: + # -- CA certificates to use with Kyverno deployments + # This value is expected to be one large string of CA certificates + data: ~ + # -- Volume to be mounted for CA certificates + # Not used when `.Values.reportsController.caCertificates.data` is defined + volume: {} + # Example to use hostPath: + # hostPath: + # path: /etc/pki/tls/ca-certificates.crt + # type: File + + + metricsService: + # -- Create service. + create: true + # -- Service port. + # Metrics server will be exposed at this port. + port: 8000 + # -- Service type. + type: ClusterIP + # -- (string) Service node port. + # Only used if `type` is `NodePort`. + nodePort: ~ + # -- Service annotations. + annotations: {} + + networkPolicy: + + # -- When true, use a NetworkPolicy to allow ingress to the webhook + # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. + enabled: false + + # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. + ingressFrom: [] + + serviceMonitor: + # -- Create a `ServiceMonitor` to collect Prometheus metrics. + enabled: false + # -- Additional labels + additionalLabels: {} + # -- (string) Override namespace + namespace: ~ + # -- Interval to scrape metrics + interval: 30s + # -- Timeout if metrics can't be retrieved in given time interval + scrapeTimeout: 25s + # -- Is TLS required for endpoint + secure: false + # -- TLS Configuration for endpoint + tlsConfig: {} + # -- RelabelConfigs to apply to samples before scraping + relabelings: [] + # -- MetricRelabelConfigs to apply to samples before ingestion. + metricRelabelings: [] + + tracing: + # -- Enable tracing + enabled: false + # -- (string) Traces receiver address + address: ~ + # -- (string) Traces receiver port + port: ~ + # -- (string) Traces receiver credentials + creds: ~ + + metering: + # -- Disable metrics export + disabled: false + # -- Otel configuration, can be `prometheus` or `grpc` + config: prometheus + # -- Prometheus endpoint port + port: 8000 + # -- (string) Otel collector endpoint + collector: ~ + # -- (string) Otel collector credentials + creds: ~ + + # -- reportsController server port + # in case you are using hostNetwork: true, you might want to change the port the reportsController is listening to + server: + port: 9443 + + profiling: + # -- Enable profiling + enabled: false + # -- Profiling endpoint port + port: 6060 + # -- Service type. + serviceType: ClusterIP + # -- Service node port. + # Only used if `type` is `NodePort`. + nodePort: + + # -- Enable sanity check for reports CRDs + sanityChecks: true diff --git a/k3-kyverno-test/test-with-report.sh b/k3-kyverno-test/test-with-report.sh new file mode 100755 index 0000000..be4f388 --- /dev/null +++ b/k3-kyverno-test/test-with-report.sh @@ -0,0 +1,436 @@ +#!/bin/bash + +# Kyverno 테스트 스크립트 (마크다운 리포트 포함) +set -e + +echo "🚀 Kyverno 테스트 시작 (리포트 생성)" + +# 색상 정의 +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +NC='\033[0m' + +# 리포트 파일 설정 +REPORT_FILE="kyverno-test-report-$(date +%Y%m%d-%H%M%S).md" +TEST_START_TIME=$(date '+%Y-%m-%d %H:%M:%S') + +print_status() { + echo -e "${GREEN}[INFO]${NC} $1" + echo "$(date '+%H:%M:%S') [INFO] $1" >> "$REPORT_FILE" +} + +print_warning() { + echo -e "${YELLOW}[WARNING]${NC} $1" + echo "$(date '+%H:%M:%S') [WARNING] $1" >> "$REPORT_FILE" +} + +print_error() { + echo -e "${RED}[ERROR]${NC} $1" + echo "$(date '+%H:%M:%S') [ERROR] $1" >> "$REPORT_FILE" +} + +# 마크다운 헤더 생성 +init_report() { + cat > "$REPORT_FILE" << EOF +# Kyverno 테스트 리포트 + +**테스트 시작 시간**: $TEST_START_TIME +**테스트 환경**: k3s 클러스터 +**목적**: CPU 리소스 요청/제한에 대한 Kyverno 정책 효과 검증 + +## 테스트 개요 + +1. 더미 앱 15개 배포하여 노드 리소스 50-60% 사용 +2. Kyverno 정책 배포 (CPU 제한을 300m으로 제한) +3. 정책 효과 확인 +4. 리소스 사용량 변화 측정 + +--- + +## 디렉토리 구조 + +\`\`\` +/home/dongdorrong/github/private/kubernetes/k3-kyverno-test/ +├── dummy-app/ # Helm 차트 +│ ├── Chart.yaml +│ ├── values.yaml +│ └── templates/ +├── kyverno/ # Kyverno Helm 차트 +├── kyverno-policy/ # 정책 파일들 +├── simple-test.sh # 기본 테스트 스크립트 +└── test-with-report.sh # 리포트 생성 스크립트 +\`\`\` + +--- + +EOF +} + +# 노드 리소스 정보를 마크다운으로 기록 +record_node_resources() { + local title="$1" + local timestamp=$(date '+%Y-%m-%d %H:%M:%S') + + echo "" >> "$REPORT_FILE" + echo "## $title" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" + echo "**시간**: $timestamp" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" + + # 노드 기본 정보 + echo "### 노드 기본 정보" >> "$REPORT_FILE" + echo "\`\`\`" >> "$REPORT_FILE" + kubectl get nodes -o wide >> "$REPORT_FILE" 2>/dev/null || echo "노드 정보 조회 실패" >> "$REPORT_FILE" + echo "\`\`\`" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" + + # 리소스 할당 현황 + echo "### 리소스 할당 현황" >> "$REPORT_FILE" + echo "\`\`\`" >> "$REPORT_FILE" + kubectl describe node | grep -A 15 "Allocated resources" >> "$REPORT_FILE" 2>/dev/null || echo "리소스 정보 조회 실패" >> "$REPORT_FILE" + echo "\`\`\`" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" + + # 파드 목록 + echo "### 현재 실행 중인 파드" >> "$REPORT_FILE" + echo "\`\`\`" >> "$REPORT_FILE" + kubectl get pods --all-namespaces -o wide >> "$REPORT_FILE" 2>/dev/null || echo "파드 정보 조회 실패" >> "$REPORT_FILE" + echo "\`\`\`" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" + + # Top 명령어 (가능한 경우) + echo "### 실시간 리소스 사용량" >> "$REPORT_FILE" + echo "\`\`\`" >> "$REPORT_FILE" + kubectl top node >> "$REPORT_FILE" 2>/dev/null || echo "metrics-server가 준비되지 않았습니다" >> "$REPORT_FILE" + echo "\`\`\`" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" + + echo "---" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" +} + +# 현재 노드 리소스 사용량 확인 +check_node_resources() { + print_status "현재 노드 리소스 사용량 확인" + kubectl top node 2>/dev/null || echo "metrics-server가 준비되지 않았습니다" + kubectl describe node | grep -A 10 "Allocated resources" +} + +# 1단계: 더미 앱을 여러 개 배포하여 50-60% 리소스 사용 +deploy_dummy_apps() { + print_status "1단계: 더미 앱들을 배포하여 노드 리소스 50-60% 사용" + + echo "" >> "$REPORT_FILE" + echo "## 1단계: 더미 앱 배포" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" + echo "**목표**: 각 앱당 800m CPU 요청, 1000m CPU 제한으로 15개 배포" >> "$REPORT_FILE" + echo "**예상 총 CPU 요청**: 12000m (50%)" >> "$REPORT_FILE" + echo "**예상 총 CPU 제한**: 15000m (62.5%)" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" + + # 배포 전 상태 기록 + record_node_resources "배포 전 노드 상태" + + local deployed_count=0 + local failed_count=0 + + # 각 앱당 800m CPU 요청, 1000m CPU 제한으로 설정 + # 15개 배포하면 약 12000m (50%) 요청 + for i in {1..15}; do + print_status "더미 앱 $i 배포 중..." + + if helm install dummy-$i ./dummy-app \ + --set resources.requests.cpu=800m \ + --set resources.requests.memory=256Mi \ + --set resources.limits.cpu=1000m \ + --set resources.limits.memory=512Mi \ + --wait --timeout=60s; then + deployed_count=$((deployed_count + 1)) + echo "✅ dummy-$i 배포 성공" >> "$REPORT_FILE" + else + failed_count=$((failed_count + 1)) + echo "❌ dummy-$i 배포 실패" >> "$REPORT_FILE" + fi + + # 5개마다 상태 확인 + if [ $((i % 5)) -eq 0 ]; then + print_status "현재까지 $i개 배포 시도 완료 (성공: $deployed_count, 실패: $failed_count)" + local current_pods=$(kubectl get pods | grep dummy- | wc -l) + echo "현재 실행 중인 더미 파드 수: $current_pods" >> "$REPORT_FILE" + fi + done + + print_status "모든 더미 앱 배포 완료 (성공: $deployed_count, 실패: $failed_count)" + echo "" >> "$REPORT_FILE" + echo "**배포 결과**: 성공 $deployed_count개, 실패 $failed_count개" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" + + # 배포 후 상태 기록 + record_node_resources "배포 후 노드 상태" + + check_node_resources +} + +# 2단계: Kyverno 정책 배포 +deploy_kyverno_policies() { + print_status "2단계: Kyverno 정책 배포" + + echo "" >> "$REPORT_FILE" + echo "## 2단계: Kyverno 정책 배포" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" + + # 간단한 CPU 제한 정책 생성 + cat > cpu-limit-policy.yaml << 'EOF' +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: limit-cpu-usage + annotations: + policies.kyverno.io/title: Limit CPU Usage + policies.kyverno.io/category: Resource Management + policies.kyverno.io/description: CPU 제한을 300m 이하로 제한 +spec: + validationFailureAction: enforce + background: true + rules: + - name: check-cpu-limit + match: + any: + - resources: + kinds: + - Pod + validate: + message: "CPU 제한은 300m을 초과할 수 없습니다" + pattern: + spec: + containers: + - name: "*" + resources: + limits: + cpu: "<=300m" +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-cpu-limits + annotations: + policies.kyverno.io/title: Mutate CPU Limits + policies.kyverno.io/category: Resource Management + policies.kyverno.io/description: CPU 제한이 300m을 초과하면 300m으로 변경 +spec: + rules: + - name: reduce-cpu-limits + match: + any: + - resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + spec: + containers: + - (name): "*" + resources: + limits: + cpu: "300m" + requests: + cpu: "150m" +EOF + + echo "### 적용된 정책" >> "$REPORT_FILE" + echo "\`\`\`yaml" >> "$REPORT_FILE" + cat cpu-limit-policy.yaml >> "$REPORT_FILE" + echo "\`\`\`" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" + + if kubectl apply -f cpu-limit-policy.yaml; then + print_status "Kyverno 정책 적용 완료" + echo "✅ Kyverno 정책 적용 성공" >> "$REPORT_FILE" + else + print_error "Kyverno 정책 적용 실패" + echo "❌ Kyverno 정책 적용 실패" >> "$REPORT_FILE" + fi + + sleep 5 + + # 정책 상태 확인 + echo "" >> "$REPORT_FILE" + echo "### 정책 상태 확인" >> "$REPORT_FILE" + echo "\`\`\`" >> "$REPORT_FILE" + kubectl get clusterpolicy >> "$REPORT_FILE" 2>/dev/null || echo "정책 조회 실패" >> "$REPORT_FILE" + echo "\`\`\`" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" +} + +# 3단계: 새로운 앱 배포하여 정책 효과 확인 +test_policy_effect() { + print_status "3단계: 새로운 앱 배포하여 정책 효과 확인" + + echo "" >> "$REPORT_FILE" + echo "## 3단계: 정책 효과 테스트" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" + + # 높은 CPU 제한 테스트 + echo "### 높은 CPU 제한 앱 배포 테스트 (1000m)" >> "$REPORT_FILE" + print_status "높은 CPU 제한으로 앱 배포 시도 (1000m - 정책 위반 예상)" + + if helm install test-high ./dummy-app \ + --set resources.requests.cpu=500m \ + --set resources.limits.cpu=1000m \ + --wait --timeout=60s; then + print_warning "⚠️ 높은 CPU 제한 앱이 배포되었습니다 (정책이 적용되지 않았거나 mutate됨)" + echo "⚠️ 높은 CPU 제한 앱 배포 성공 (정책이 mutate했을 가능성)" >> "$REPORT_FILE" + + echo "" >> "$REPORT_FILE" + echo "**실제 적용된 리소스 설정**:" >> "$REPORT_FILE" + echo "\`\`\`" >> "$REPORT_FILE" + kubectl describe pod -l app.kubernetes.io/instance=test-high | grep -A 10 "Limits:" >> "$REPORT_FILE" 2>/dev/null || echo "파드 정보 조회 실패" >> "$REPORT_FILE" + echo "\`\`\`" >> "$REPORT_FILE" + else + print_status "✅ 높은 CPU 제한 앱 배포가 차단되었습니다 (정책 효과 확인)" + echo "✅ 높은 CPU 제한 앱 배포 차단됨 (정책 효과 확인)" >> "$REPORT_FILE" + fi + + echo "" >> "$REPORT_FILE" + + # 낮은 CPU 제한 테스트 + echo "### 낮은 CPU 제한 앱 배포 테스트 (200m)" >> "$REPORT_FILE" + print_status "낮은 CPU 제한으로 앱 배포 시도 (200m - 정책 통과 예상)" + + if helm install test-low ./dummy-app \ + --set resources.requests.cpu=100m \ + --set resources.limits.cpu=200m \ + --wait --timeout=60s; then + print_status "✅ 낮은 CPU 제한 앱이 성공적으로 배포되었습니다" + echo "✅ 낮은 CPU 제한 앱 배포 성공" >> "$REPORT_FILE" + + echo "" >> "$REPORT_FILE" + echo "**실제 적용된 리소스 설정**:" >> "$REPORT_FILE" + echo "\`\`\`" >> "$REPORT_FILE" + kubectl describe pod -l app.kubernetes.io/instance=test-low | grep -A 10 "Limits:" >> "$REPORT_FILE" 2>/dev/null || echo "파드 정보 조회 실패" >> "$REPORT_FILE" + echo "\`\`\`" >> "$REPORT_FILE" + else + print_error "❌ 낮은 CPU 제한 앱 배포가 실패했습니다" + echo "❌ 낮은 CPU 제한 앱 배포 실패" >> "$REPORT_FILE" + fi + + echo "" >> "$REPORT_FILE" +} + +# 4단계: 리소스 사용량 변화 확인 +check_resource_changes() { + print_status "4단계: 리소스 사용량 변화 확인" + + echo "" >> "$REPORT_FILE" + echo "## 4단계: 리소스 사용량 변화 확인" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" + + # 정책 적용 후 상태 기록 + record_node_resources "정책 적용 후 노드 상태" + + print_status "현재 노드 리소스 사용량:" + check_node_resources + + print_status "배포된 파드들의 리소스 설정:" + echo "### 배포된 파드들의 리소스 설정" >> "$REPORT_FILE" + echo "\`\`\`" >> "$REPORT_FILE" + kubectl get pods -o custom-columns="NAME:.metadata.name,CPU_REQ:.spec.containers[0].resources.requests.cpu,CPU_LIM:.spec.containers[0].resources.limits.cpu" | grep dummy >> "$REPORT_FILE" 2>/dev/null || echo "파드 리소스 정보 조회 실패" >> "$REPORT_FILE" + echo "\`\`\`" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" +} + +# 정리 함수 +cleanup() { + print_status "리소스 정리" + + echo "" >> "$REPORT_FILE" + echo "## 리소스 정리" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" + + local cleanup_start=$(date '+%Y-%m-%d %H:%M:%S') + echo "**정리 시작 시간**: $cleanup_start" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" + + # 모든 더미 앱 제거 + for i in {1..15}; do + helm uninstall dummy-$i --ignore-not-found=true 2>/dev/null || true + done + + # 테스트 앱 제거 + helm uninstall test-high --ignore-not-found=true 2>/dev/null || true + helm uninstall test-low --ignore-not-found=true 2>/dev/null || true + + # 정책 제거 + kubectl delete -f cpu-limit-policy.yaml --ignore-not-found=true 2>/dev/null || true + rm -f cpu-limit-policy.yaml + + print_status "정리 완료" + echo "✅ 모든 리소스 정리 완료" >> "$REPORT_FILE" + + # 정리 후 상태 기록 + record_node_resources "정리 후 노드 상태" + + # 리포트 마무리 + local test_end_time=$(date '+%Y-%m-%d %H:%M:%S') + echo "" >> "$REPORT_FILE" + echo "---" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" + echo "## 테스트 완료" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" + echo "**테스트 종료 시간**: $test_end_time" >> "$REPORT_FILE" + echo "**리포트 파일**: $REPORT_FILE" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" + echo "### 요약" >> "$REPORT_FILE" + echo "- 더미 앱 배포를 통한 노드 리소스 사용량 증가 확인" >> "$REPORT_FILE" + echo "- Kyverno 정책을 통한 CPU 제한 제어 확인" >> "$REPORT_FILE" + echo "- 정책 적용 전후 리소스 사용량 변화 측정" >> "$REPORT_FILE" + echo "" >> "$REPORT_FILE" +} + +# 메인 함수 +main() { + # 리포트 초기화 + init_report + + case "${1:-all}" in + "deploy") + deploy_dummy_apps + ;; + "policies") + deploy_kyverno_policies + ;; + "test") + test_policy_effect + ;; + "check") + check_resource_changes + ;; + "clean") + cleanup + ;; + "all") + print_status "전체 테스트 시작" + deploy_dummy_apps + deploy_kyverno_policies + test_policy_effect + check_resource_changes + print_status "전체 테스트 완료" + ;; + *) + echo "사용법: $0 [deploy|policies|test|check|clean|all]" + echo " deploy: 더미 앱 15개 배포 (50-60% 리소스 사용)" + echo " policies: Kyverno 정책 배포" + echo " test: 정책 효과 테스트" + echo " check: 리소스 사용량 확인" + echo " clean: 모든 리소스 정리" + echo " all: 전체 테스트 실행 (기본값)" + exit 1 + ;; + esac + + print_status "리포트가 $REPORT_FILE 에 저장되었습니다" +} + +# 스크립트 실행 +main "$@" \ No newline at end of file