diff --git a/scripts/helmcharts/toolings/Chart.yaml b/scripts/helmcharts/toolings/Chart.yaml index 05509f121..9ef9030f3 100644 --- a/scripts/helmcharts/toolings/Chart.yaml +++ b/scripts/helmcharts/toolings/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -name: utilties +name: tooling description: A Helm chart for Kubernetes # A chart can be either an 'application' or a 'library' chart. diff --git a/scripts/helmcharts/toolings/charts/kyverno/.helmignore b/scripts/helmcharts/toolings/charts/kyverno/.helmignore new file mode 100644 index 000000000..20b07486a --- /dev/null +++ b/scripts/helmcharts/toolings/charts/kyverno/.helmignore @@ -0,0 +1,2 @@ +ci/ +README.md.gotmpl diff --git a/scripts/helmcharts/toolings/charts/kyverno/Chart.yaml b/scripts/helmcharts/toolings/charts/kyverno/Chart.yaml index ca68a5f08..f0b1aad5c 100644 --- a/scripts/helmcharts/toolings/charts/kyverno/Chart.yaml +++ b/scripts/helmcharts/toolings/charts/kyverno/Chart.yaml @@ -1,14 +1,38 @@ annotations: artifacthub.io/changes: | + - kind: added + description: Added possibility to define additional init and sidecar container. + - kind: added + description: Added ability to remove namespaces from default resourceFilters list. + - kind: added + description: Prevent installing Kyverno in namespace kube-system. + - kind: fixed + description: Docs for generatecontrollerExtraResources. - kind: changed - description: Exclude Kyverno namespace by default + description: Enable autogen internals by default. + - kind: fixed + description: Self signed certificates not using SANs. + - kind: added + description: Extra args support for init container. + - kind: added + description: Allow overriding of test security context and resource block. + - kind: added + description: Added possibility to define custom image registries + - kind: added + description: Enable adding optional annotations to configmaps + - kind: added + description: Add startup probes support + - kind: added + description: Support extra CRD annotations + - kind: added + description: Grafana dashboard. artifacthub.io/links: | - name: Documentation url: https://kyverno.io/docs artifacthub.io/operator: "false" artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: v1.7.5 +appVersion: v1.8.5 description: Kubernetes Native Policy Management home: https://kyverno.io/ icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png @@ -26,4 +50,4 @@ name: kyverno sources: - https://github.com/kyverno/kyverno type: application -version: v2.5.5 +version: 2.6.5 diff --git a/scripts/helmcharts/toolings/charts/kyverno/README.md b/scripts/helmcharts/toolings/charts/kyverno/README.md index bd52471a5..caf65fb85 100644 --- a/scripts/helmcharts/toolings/charts/kyverno/README.md +++ b/scripts/helmcharts/toolings/charts/kyverno/README.md @@ -2,7 +2,7 @@ Kubernetes Native Policy Management -![Version: v2.5.5](https://img.shields.io/badge/Version-v2.5.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.7.5](https://img.shields.io/badge/AppVersion-v1.7.5-informational?style=flat-square) +![Version: 2.6.5](https://img.shields.io/badge/Version-2.6.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.8.5](https://img.shields.io/badge/AppVersion-v1.8.5-informational?style=flat-square) ## About @@ -46,6 +46,65 @@ The command deploys Kyverno on the Kubernetes cluster with default configuration The Kyverno ClusterRole/ClusterRoleBinding that manages webhook configurations must have the suffix `:webhook`. Ex., `*:webhook` or `kyverno:webhook`. Other ClusterRole/ClusterRoleBinding names are configurable. +**Notes on using ArgoCD:** + +When deploying this chart with ArgoCD you will need to enable `Replace` in the `syncOptions`, and you probably want to ignore diff in aggregated cluster roles. + +You can do so by following instructions in these pages of ArgoCD documentation: +- [Enable Replace in the syncOptions](https://argo-cd.readthedocs.io/en/stable/user-guide/sync-options/#replace-resource-instead-of-applying-changes) +- [Ignore diff in aggregated cluster roles](https://argo-cd.readthedocs.io/en/stable/user-guide/diffing/#ignoring-rbac-changes-made-by-aggregateroles) + +ArgoCD uses helm only for templating but applies the results with `kubectl`. + +Unfortunately `kubectl` adds metadata that will cross the limit allowed by Kuberrnetes. Using `Replace` overcomes this limitation. + +Another option is to use server side apply, this will be supported in ArgoCD v2.5. + +Finally, we introduced new CRDs in 1.8 to manage resource-level reports. Those reports are associated with parent resources using an `ownerReference` object. + +As a consequence, ArgoCD will show those reports in the UI, but as they are managed dynamically by Kyverno it can pollute your dashboard. + +You can tell ArgoCD to ignore reports globally by adding them under the `resource.exclusions` stanza in the ArgoCD ConfigMap. + +```yaml + resource.exclusions: | + - apiGroups: + - kyverno.io + kinds: + - AdmissionReport + - BackgroundScanReport + - ClusterAdmissionReport + - ClusterBackgroundScanReport + clusters: + - '*' +``` + +Below is an example of ArgoCD Application manifest that should work with this chart. + +```yaml +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kyverno + namespace: argocd +spec: + destination: + namespace: kyverno + server: https://kubernetes.default.svc + project: default + source: + chart: kyverno + repoURL: https://kyverno.github.io/kyverno + targetRevision: 2.6.0 + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - Replace=true +``` + ## Uninstalling the Chart To uninstall/delete the `kyverno` deployment: @@ -68,14 +127,18 @@ The command removes all the Kubernetes components associated with the chart and | rbac.serviceAccount.create | bool | `true` | Create a ServiceAccount | | rbac.serviceAccount.name | string | `nil` | The ServiceAccount name | | rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | +| image.registry | string | `nil` | Image registry | | image.repository | string | `"ghcr.io/kyverno/kyverno"` | Image repository | | image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | image.pullSecrets | list | `[]` | Image pull secrets | +| initImage.registry | string | `nil` | Image registry | | initImage.repository | string | `"ghcr.io/kyverno/kyvernopre"` | Image repository | | initImage.tag | string | `nil` | Image tag If initImage.tag is missing, defaults to image.tag | | initImage.pullPolicy | string | `nil` | Image pull policy If initImage.pullPolicy is missing, defaults to image.pullPolicy | -| testImage.repository | string | `nil` | Image repository Defaults to `busybox` if omitted | +| initContainer.extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the kyvernopre binary. | +| testImage.registry | string | `nil` | Image registry | +| testImage.repository | string | `"busybox"` | Image repository | | testImage.tag | string | `nil` | Image tag Defaults to `latest` if omitted | | testImage.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | | replicaCount | int | `nil` | Desired number of pods | @@ -83,6 +146,7 @@ The command removes all the Kubernetes components associated with the chart and | podAnnotations | object | `{}` | Additional annotations to add to each pod | | podSecurityContext | object | `{}` | Security context for the pod | | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | +| testSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the test containers | | priorityClassName | string | `""` | Optional priority class to be used for kyverno pods | | antiAffinity.enable | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. | | podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. | @@ -96,23 +160,31 @@ The command removes all the Kubernetes components associated with the chart and | dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. | | envVarsInit | object | `{}` | Env variables for initContainers. | | envVars | object | `{}` | Env variables for containers. | -| extraArgs | list | `["--autogenInternals=false"]` | Extra arguments to give to the binary. | +| extraArgs | list | `["--autogenInternals=true","--loggingFormat=text"]` | Extra arguments to give to the binary. | +| extraInitContainers | list | `[]` | Array of extra init containers | +| extraContainers | list | `[]` | Array of extra containers to run alongside kyverno | | imagePullSecrets | object | `{}` | Image pull secrets for image verify and imageData policies. This will define the `--imagePullSecrets` Kyverno argument. | | resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits | | resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests | | initResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | | initResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | +| testResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | +| testResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | +| startupProbe | object | See [values.yaml](values.yaml) | Startup probe. The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ | | livenessProbe | object | See [values.yaml](values.yaml) | Liveness probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ | | readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ | -| generatecontrollerExtraResources | string | `nil` | | +| generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. | | excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters | +| resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters | | config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. | | config.existingConfig | string | `""` | Name of an existing config map (ignores default/provided resourceFilters) | +| config.annotations | object | `{}` | Additional annotations to add to the configmap | | config.excludeGroupRole | string | `nil` | Exclude group role | | config.excludeUsername | string | `nil` | Exclude username | | config.webhooks | string | `nil` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) | | config.generateSuccessEvents | bool | `false` | Generate success events. | -| config.metricsConfig | object | `{"namespaces":{"exclude":[],"include":[]}}` | Metrics config. | +| config.metricsConfig | object | `{"annotations":{},"namespaces":{"exclude":[],"include":[]}}` | Metrics config. | +| config.metricsConfig.annotations | object | `{}` | Additional annotations to add to the metricsconfigmap | | updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | | service.port | int | `443` | Service port. | | service.type | string | `"ClusterIP"` | Service type. | @@ -131,13 +203,17 @@ The command removes all the Kubernetes components associated with the chart and | serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval | | serviceMonitor.secure | bool | `false` | Is TLS required for endpoint | | serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint | -| createSelfSignedCert | bool | `false` | Kyverno requires a certificate key pair and corresponding certificate authority to properly register its webhooks. This can be done in one of 3 ways: 1) Use kube-controller-manager to generate a CA-signed certificate (preferred) 2) Provide your own CA and cert. In this case, you will need to create a certificate with a specific name and data structure. As long as you follow the naming scheme, it will be automatically picked up. kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entry named rootCA.crt) kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false | +| createSelfSignedCert | bool | `false` | Kyverno requires a certificate key pair and corresponding certificate authority to properly register its webhooks. This can be done in one of 3 ways: 1) Use kube-controller-manager to generate a CA-signed certificate (preferred) 2) Provide your own CA and cert. In this case, you will need to create a certificate with a specific name and data structure. As long as you follow the naming scheme, it will be automatically picked up. kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt) kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false | | installCRDs | bool | `true` | Whether to have Helm install the Kyverno CRDs. If the CRDs are not installed by Helm, they must be added before policies can be created. | +| crds.annotations | object | `{}` | Additional CRDs annotations. | | networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. | | networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. | | webhooksCleanup.enable | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. | | webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. | -| tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization | +| tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. | +| grafana.enabled | bool | `false` | Enable grafana dashboard creation. | +| grafana.namespace | string | `nil` | Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed. | +| grafana.annotations | object | `{}` | Grafana dashboard configmap annotations. | ## TLS Configuration @@ -160,8 +236,10 @@ This chart comes with default resource filters that apply exclusions on a couple - `SelfSubjectAccessReview` - `Binding` - `ReplicaSet` - - `ReportChangeRequest` - - `ClusterReportChangeRequest` + - `AdmissionReport` + - `ClusterAdmissionReport` + - `BackgroundScanReport` + - `ClusterBackgroundScanReport` - all resources created by this chart itself Those default exclusions are there to prevent disruptions as much as possible. @@ -194,7 +272,7 @@ Kubernetes: `>=1.16.0-0` | Name | Email | Url | | ---- | ------ | --- | -| Nirmata | | https://kyverno.io/ | +| Nirmata | | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.6.0](https://github.com/norwoodj/helm-docs/releases/v1.6.0) +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/scripts/helmcharts/toolings/charts/kyverno/README.md.gotmpl b/scripts/helmcharts/toolings/charts/kyverno/README.md.gotmpl deleted file mode 100644 index f1b7e9ebf..000000000 --- a/scripts/helmcharts/toolings/charts/kyverno/README.md.gotmpl +++ /dev/null @@ -1,110 +0,0 @@ -{{ template "chart.header" . }} -{{ template "chart.deprecationWarning" . }} -{{ template "chart.description" . }} - -{{ template "chart.badgesSection" . }} - -## About - -[Kyverno](https://kyverno.io) is a Kubernetes Native Policy Management engine. - -It allows you to: -- Manage policies as Kubernetes resources (no new language required.) -- Validate, mutate, and generate resource configurations. -- Select resources based on labels and wildcards. -- View policy enforcement as events. -- Scan existing resources for violations. - -This chart bootstraps a Kyverno deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -Access the complete user documentation and guides at: https://kyverno.io. - -## Installing the Chart - -**Add the Kyverno Helm repository:** - -```console -$ helm repo add kyverno https://kyverno.github.io/kyverno/ -``` - -**Create a namespace:** - -You can install Kyverno in any namespace. The examples use `kyverno` as the namespace. - -```console -$ kubectl create namespace kyverno -``` - -**Install the Kyverno chart:** - -```console -$ helm install kyverno --namespace kyverno kyverno/kyverno -``` - -The command deploys Kyverno on the Kubernetes cluster with default configuration. The [installation](https://kyverno.io/docs/installation/) guide lists the parameters that can be configured during installation. - -The Kyverno ClusterRole/ClusterRoleBinding that manages webhook configurations must have the suffix `:webhook`. Ex., `*:webhook` or `kyverno:webhook`. -Other ClusterRole/ClusterRoleBinding names are configurable. - -## Uninstalling the Chart - -To uninstall/delete the `kyverno` deployment: - -```console -$ helm delete -n kyverno kyverno -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -{{ template "chart.valuesSection" . }} - -## TLS Configuration - -If `createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the [installation documentation](https://kyverno.io/docs/installation/#option-2-use-your-own-ca-signed-certificate) - -If `createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno). - -## Default resource filters - -[Kyverno resource filters](https://kyverno.io/docs/installation/#resource-filters) are a used to exclude resources from the Kyverno engine rules processing. - -This chart comes with default resource filters that apply exclusions on a couple of namespaces and resource kinds: -- all resources in `kube-system`, `kube-public` and `kube-node-lease` namespaces -- all resources in all namespaces for the following resource kinds: - - `Event` - - `Node` - - `APIService` - - `TokenReview` - - `SubjectAccessReview` - - `SelfSubjectAccessReview` - - `Binding` - - `ReplicaSet` - - `ReportChangeRequest` - - `ClusterReportChangeRequest` -- all resources created by this chart itself - -Those default exclusions are there to prevent disruptions as much as possible. -Under the hood, Kyverno installs an admission controller for critical cluster resources. -A cluster can become unresponsive if Kyverno is not up and running, ultimately preventing pods to be scheduled in the cluster. - -You can however override the default resource filters by setting the `config.resourceFilters` stanza. -It contains an array of string templates that are passed through the `tpl` Helm function and joined together to produce the final `resourceFilters` written in the Kyverno config map. - -Please consult the [values.yaml](./values.yaml) file before overriding `config.resourceFilters` and use the apropriate templates to build your desired exclusions list. - -## High availability - -Running a highly-available Kyverno installation is crucial in a production environment. - -In order to run Kyverno in high availability mode, you should set `replicaCount` to `3` or more. -You should also pay attention to anti affinity rules, spreading pods across nodes and availability zones. - -Please see https://kyverno.io/docs/installation/#security-vs-operability for more informations. - -{{ template "chart.sourcesSection" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.maintainersSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/scripts/helmcharts/toolings/charts/kyverno/ci/hooks-values.yaml b/scripts/helmcharts/toolings/charts/kyverno/ci/hooks-values.yaml deleted file mode 100644 index 399110f1b..000000000 --- a/scripts/helmcharts/toolings/charts/kyverno/ci/hooks-values.yaml +++ /dev/null @@ -1,3 +0,0 @@ ---- -webhooksCleanup: - enable: true diff --git a/scripts/helmcharts/toolings/charts/kyverno/ci/imagePullSecrets-values.yaml b/scripts/helmcharts/toolings/charts/kyverno/ci/imagePullSecrets-values.yaml deleted file mode 100644 index 4ccd12266..000000000 --- a/scripts/helmcharts/toolings/charts/kyverno/ci/imagePullSecrets-values.yaml +++ /dev/null @@ -1,9 +0,0 @@ -imagePullSecrets: - regcred: - registry: foo.example.com - username: foobar - password: secret - regcred2: - registry: bar.example.com - username: barbaz - password: secret2 diff --git a/scripts/helmcharts/toolings/charts/kyverno/ci/networkpolicy-values.yaml b/scripts/helmcharts/toolings/charts/kyverno/ci/networkpolicy-values.yaml deleted file mode 100644 index dccffd6e5..000000000 --- a/scripts/helmcharts/toolings/charts/kyverno/ci/networkpolicy-values.yaml +++ /dev/null @@ -1,3 +0,0 @@ ---- -networkPolicy: - enabled: true diff --git a/scripts/helmcharts/toolings/charts/kyverno/grafana/dashboard.json b/scripts/helmcharts/toolings/charts/kyverno/grafana/dashboard.json new file mode 100644 index 000000000..f98d01124 --- /dev/null +++ b/scripts/helmcharts/toolings/charts/kyverno/grafana/dashboard.json @@ -0,0 +1,2854 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS_KYVERNO", + "label": "Prometheus Data Source exposing Kyverno's metrics", + "description": "Prometheus Data Source exposing Kyverno's metrics", + "type": "datasource" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "", + "editable": true, + "gnetId": null, + "graphTooltip": 0, + "id": 2, + "iteration": 1628375170149, + "links": [], + "panels": [ + { + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "gridPos": { + "h": 6, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 42, + "options": { + "content": "# Kyverno\nA Kubernetes-native policy management engine\n\n#### About this dashboard\n\nThis dashboard represents generic insights that can be extracted from a cluster with Kyverno running.\n\n#### For more details around the metrics\n\nCheckout the [official docs of Kyverno metrics](https://kyverno.io/docs/monitoring/)", + "mode": "markdown" + }, + "pluginVersion": "8.1.0", + "timeFrom": null, + "timeShift": null, + "transparent": true, + "type": "text" + }, + { + "collapsed": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 6 + }, + "id": 12, + "panels": [], + "title": "Latest Status", + "type": "row" + }, + { + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "max": 100, + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + }, + { + "color": "red", + "value": 50 + }, + { + "color": "#EAB839", + "value": 75 + }, + { + "color": "green", + "value": 100 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 6, + "x": 0, + "y": 7 + }, + "id": 29, + "options": { + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": true, + "text": {} + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "exemplar": true, + "expr": "sum(delta(kyverno_policy_results_total{rule_result=\"fail\"}[24h]))*100/sum(delta(kyverno_policy_results_total{}[24h]))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Rule Execution Failure Rate (Last 24 Hours)", + "transparent": true, + "type": "gauge" + }, + { + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 5, + "w": 4, + "x": 8, + "y": 7 + }, + "id": 2, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{policy_type=\"cluster\"}==1) by (policy_name))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Cluster Policies", + "type": "stat" + }, + { + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 5, + "w": 4, + "x": 12, + "y": 7 + }, + "id": 3, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{policy_type=\"namespaced\"}==1) by (policy_name))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Policies", + "type": "stat" + }, + { + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "max": 100, + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + }, + { + "color": "red", + "value": 50 + }, + { + "color": "#EAB839", + "value": 75 + }, + { + "color": "green", + "value": 100 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 6, + "x": 18, + "y": 7 + }, + "id": 28, + "options": { + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": true, + "text": {} + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "exemplar": true, + "expr": "sum(delta(kyverno_policy_results_total{rule_result=\"fail\", policy_background_mode=\"true\"}[24h]))*100/sum(delta(kyverno_policy_results_total{policy_background_mode=\"true\"}[24h]))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Background Scans Failure Rate (Last 24 Hours)", + "transparent": true, + "type": "gauge" + }, + { + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 6, + "y": 12 + }, + "id": 4, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "exemplar": true, + "expr": "count(kyverno_policy_rule_info_total{rule_type=\"validate\"}==1)", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Validate Rules", + "type": "stat" + }, + { + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 10, + "y": 12 + }, + "id": 23, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "exemplar": true, + "expr": "count(kyverno_policy_rule_info_total{rule_type=\"mutate\"}==1)", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Mutate Rules", + "type": "stat" + }, + { + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 14, + "y": 12 + }, + "id": 6, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "exemplar": true, + "expr": "count(kyverno_policy_rule_info_total{rule_type=\"generate\"}==1)", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Generate Rules", + "type": "stat" + }, + { + "collapsed": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 16 + }, + "id": 26, + "panels": [], + "title": "Policy-Rule Results", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 17 + }, + "hiddenSeries": false, + "id": 15, + "legend": { + "alignAsTable": true, + "avg": false, + "current": true, + "max": true, + "min": true, + "rightSide": false, + "show": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.0", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "$$hashKey": "object:2021", + "alias": "pass", + "color": "rgb(43, 219, 23)", + "dashes": true + }, + { + "$$hashKey": "object:2029", + "alias": "fail", + "color": "#F2495C" + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "exemplar": true, + "expr": "sum(delta(kyverno_policy_results_total{rule_execution_cause=\"admission_request\"}[5m])) by (rule_result)", + "interval": "", + "legendFormat": "{{rule_result}}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Admission Review Results (per-rule)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:218", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:219", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 17 + }, + "hiddenSeries": false, + "id": 17, + "legend": { + "alignAsTable": true, + "avg": false, + "current": true, + "max": true, + "min": true, + "rightSide": false, + "show": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.0", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "$$hashKey": "object:2021", + "alias": "pass", + "color": "rgb(43, 219, 23)", + "dashes": true + }, + { + "$$hashKey": "object:2029", + "alias": "fail", + "color": "#F2495C" + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "exemplar": true, + "expr": "sum(delta(kyverno_policy_results_total{rule_execution_cause=\"background_scan\"}[5m])) by (rule_result)", + "interval": "", + "legendFormat": "{{rule_result}}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Background Scan Results (per-rule)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:218", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:219", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 16, + "w": 8, + "x": 16, + "y": 17 + }, + "hiddenSeries": false, + "id": 30, + "legend": { + "alignAsTable": true, + "avg": false, + "current": true, + "max": true, + "min": true, + "rightSide": false, + "show": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.0", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "$$hashKey": "object:2021", + "alias": "cluster", + "color": "#5794F2", + "dashes": true + }, + { + "$$hashKey": "object:2029", + "alias": "namespaced", + "color": "#F2495C", + "dashes": true + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "exemplar": true, + "expr": "sum(sum(delta(kyverno_policy_results_total{rule_result=\"fail\"}[5m])) by (policy_name, policy_type)) by (policy_type)", + "interval": "", + "legendFormat": "{{policy_type}}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Policy Failures", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:218", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:219", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 25 + }, + "hiddenSeries": false, + "id": 31, + "legend": { + "alignAsTable": true, + "avg": false, + "current": true, + "max": true, + "min": true, + "rightSide": false, + "show": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.0", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "$$hashKey": "object:2021", + "alias": "pass", + "color": "rgb(43, 219, 23)", + "dashes": true + }, + { + "$$hashKey": "object:2029", + "alias": "fail", + "color": "#F2495C" + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "exemplar": true, + "expr": "sum(sum(delta(kyverno_policy_results_total{rule_execution_cause=\"admission_request\"}[5m])) by (policy_name, rule_result)) by (rule_result)", + "interval": "", + "legendFormat": "{{rule_result}}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Admission Review Results (per-policy)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:218", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:219", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 25 + }, + "hiddenSeries": false, + "id": 32, + "legend": { + "alignAsTable": true, + "avg": false, + "current": true, + "max": true, + "min": true, + "rightSide": false, + "show": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.0", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "$$hashKey": "object:2021", + "alias": "pass", + "color": "rgb(43, 219, 23)", + "dashes": true + }, + { + "$$hashKey": "object:2029", + "alias": "fail", + "color": "#F2495C" + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "exemplar": true, + "expr": "sum(sum(delta(kyverno_policy_results_total{rule_execution_cause=\"background_scan\"}[5m])) by (policy_name, rule_result)) by (rule_result)", + "interval": "", + "legendFormat": "{{rule_result}}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Background Scan Results (per-policy)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:218", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:219", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 33 + }, + "id": 19, + "panels": [], + "title": "Policy-Rule Info", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 34 + }, + "hiddenSeries": false, + "id": 16, + "legend": { + "alignAsTable": true, + "avg": false, + "current": true, + "max": true, + "min": true, + "rightSide": false, + "show": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.0", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "$$hashKey": "object:3795", + "alias": "cluster", + "color": "#5794F2" + }, + { + "$$hashKey": "object:3800", + "alias": "namespaced", + "color": "#FF7383" + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{}==1) by (policy_name, policy_type)) by (policy_type)", + "interval": "", + "legendFormat": "{{policy_type}}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Active Policies (by policy type)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:218", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:219", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 34 + }, + "hiddenSeries": false, + "id": 20, + "legend": { + "alignAsTable": true, + "avg": false, + "current": true, + "max": true, + "min": true, + "rightSide": false, + "show": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.0", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "$$hashKey": "object:3319", + "alias": "audit", + "color": "#37872D" + }, + { + "$$hashKey": "object:3335", + "alias": "enforce", + "color": "#FF9830" + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{}==1) by (policy_name, policy_validation_mode)) by (policy_validation_mode)", + "interval": "", + "legendFormat": "audit", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Active Policies (by policy validation action)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:218", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:219", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 34 + }, + "hiddenSeries": false, + "id": 24, + "legend": { + "alignAsTable": true, + "avg": false, + "current": true, + "max": true, + "min": true, + "rightSide": false, + "show": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.0", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "$$hashKey": "object:3934", + "alias": "cluster", + "color": "#B877D9" + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{policy_background_mode=\"true\"}==1) by (policy_name, policy_type)) by (policy_type)", + "interval": "", + "legendFormat": "{{policy_type}}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Active Policies running in background mode", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:218", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:219", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 42 + }, + "hiddenSeries": false, + "id": 21, + "legend": { + "alignAsTable": true, + "avg": false, + "current": true, + "max": true, + "min": true, + "rightSide": false, + "show": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.0", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{policy_namespace!=\"-\"}==1) by (policy_name, policy_namespace)) by (policy_namespace)", + "interval": "", + "legendFormat": "{{policy_namespace}}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Active Namespaced Policies (by namespaces)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:218", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:219", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 10, + "x": 8, + "y": 42 + }, + "hiddenSeries": false, + "id": 14, + "legend": { + "alignAsTable": true, + "avg": false, + "current": true, + "max": true, + "min": true, + "rightSide": false, + "show": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.0", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "$$hashKey": "object:3021", + "alias": "mutate", + "color": "rgb(169, 58, 227)" + }, + { + "$$hashKey": "object:3029", + "alias": "validate", + "color": "rgb(255, 232, 0)" + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "exemplar": true, + "expr": "count(kyverno_policy_rule_info_total{}==1) by (rule_type)", + "interval": "", + "legendFormat": "{{rule_type}}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Active Rules (by rule type)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:218", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:219", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 50 + }, + "id": 34, + "panels": [], + "title": "Policy-Rule Execution Latency", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 9, + "x": 0, + "y": 51 + }, + "hiddenSeries": false, + "id": 36, + "legend": { + "alignAsTable": true, + "avg": false, + "current": true, + "max": true, + "min": true, + "show": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.0", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "exemplar": true, + "expr": "sum(rate(kyverno_policy_execution_duration_seconds_sum{}[5m])) by (rule_type) / sum(rate(kyverno_policy_execution_duration_seconds_count{}[5m])) by (rule_type)", + "interval": "", + "legendFormat": "{{rule_type}}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Average Rule Execution Latency Over Time", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:5548", + "format": "s", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:5549", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 9, + "x": 9, + "y": 51 + }, + "hiddenSeries": false, + "id": 37, + "legend": { + "alignAsTable": true, + "avg": false, + "current": true, + "max": true, + "min": true, + "show": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.0", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "$$hashKey": "object:5526", + "alias": "cluster", + "color": "#5794F2" + }, + { + "$$hashKey": "object:5534", + "alias": "namespaced", + "color": "#F2495C" + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "exemplar": true, + "expr": "sum(rate(kyverno_policy_execution_duration_seconds_sum{}[5m])) by (policy_type) / sum(rate(kyverno_policy_execution_duration_seconds_count{}[5m])) by (policy_type)", + "interval": "", + "legendFormat": "{{policy_type}}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Average Policy Execution Latency Over Time", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:5548", + "format": "clocks", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:5549", + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "purple", + "value": null + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 51 + }, + "id": 39, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "exemplar": true, + "expr": "sum(kyverno_policy_execution_duration_seconds_sum{}) / sum(kyverno_policy_execution_duration_seconds_count{})", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Overall Average Rule Execution Latency", + "type": "stat" + }, + { + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 55 + }, + "id": 40, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "exemplar": true, + "expr": "avg(sum(kyverno_policy_execution_duration_seconds_sum{}) by (policy_name, policy_type) / sum(kyverno_policy_execution_duration_seconds_count{}) by (policy_name, policy_type))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Overall Average Policy Execution Latency", + "type": "stat" + }, + { + "collapsed": false, + "datasource": null, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 59 + }, + "id": 52, + "panels": [], + "title": "Admission Review Latency", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 9, + "x": 0, + "y": 60 + }, + "hiddenSeries": false, + "id": 53, + "legend": { + "alignAsTable": true, + "avg": false, + "current": true, + "max": true, + "min": true, + "rightSide": false, + "show": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.0", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "exemplar": true, + "expr": "sum(rate(kyverno_admission_review_duration_seconds_sum{}[5m])) by (resource_request_operation) / sum(rate(kyverno_admission_review_duration_seconds_count{}[5m])) by (resource_request_operation)", + "interval": "", + "legendFormat": "Resource Operation: {{resource_request_operation}}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Avg - Admission Review Duration Over Time (by operation)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "transparent": true, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:218", + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:219", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 9, + "x": 9, + "y": 60 + }, + "hiddenSeries": false, + "id": 54, + "legend": { + "alignAsTable": true, + "avg": false, + "current": true, + "max": true, + "min": true, + "rightSide": false, + "show": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.0", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "exemplar": true, + "expr": "sum(rate(kyverno_admission_review_duration_seconds_sum{}[5m])) by (resource_kind) / sum(rate(kyverno_admission_review_duration_seconds_count{}[5m])) by (resource_kind)", + "interval": "", + "legendFormat": "Resource Kind: {{resource_kind}}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Avg - Admission Review Duration Over Time (by resource kind)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "transparent": true, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:218", + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:219", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 60 + }, + "id": 50, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "exemplar": true, + "expr": "sum(delta(kyverno_admission_requests_total{}[5m]))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Rate - Incoming Admission Requests (per 5m)", + "type": "stat" + }, + { + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "purple", + "value": null + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 64 + }, + "id": 55, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "exemplar": true, + "expr": "sum(kyverno_admission_review_duration_seconds_sum{})/sum(kyverno_admission_review_duration_seconds_count{})", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Avg - Overall Admission Review Duration", + "type": "stat" + }, + { + "collapsed": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 68 + }, + "id": 8, + "panels": [], + "title": "Policy Changes", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 9, + "x": 0, + "y": 69 + }, + "hiddenSeries": false, + "id": 10, + "legend": { + "alignAsTable": true, + "avg": false, + "current": true, + "max": true, + "min": true, + "rightSide": false, + "show": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.0", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "$$hashKey": "object:1487", + "alias": "Change type: created", + "color": "#5794F2" + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "exemplar": true, + "expr": "sum(delta(kyverno_policy_changes_total{}[5m])) by (policy_change_type)", + "interval": "", + "legendFormat": "Change type: {{policy_change_type}}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Policy Changes Over Time (by change type)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "transparent": true, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:218", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:219", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 9, + "x": 9, + "y": 69 + }, + "hiddenSeries": false, + "id": 13, + "legend": { + "alignAsTable": true, + "avg": false, + "current": true, + "max": true, + "min": true, + "rightSide": false, + "show": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.0", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "$$hashKey": "object:1679", + "alias": "cluster", + "color": "#F2495C" + }, + { + "$$hashKey": "object:1769" + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "exemplar": true, + "expr": "sum(delta(kyverno_policy_changes_total{}[5m])) by (policy_type)", + "interval": "", + "legendFormat": "{{policy_type}}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Policy Changes Over Time (by policy type)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:218", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:219", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "orange", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 69 + }, + "id": 49, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "exemplar": true, + "expr": "sum(delta(kyverno_policy_changes_total{}[24h]))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Total Policy Changes (Last 24 Hours)", + "type": "stat" + }, + { + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 73 + }, + "id": 48, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "exemplar": true, + "expr": "sum(rate(kyverno_policy_changes_total{}[5m]))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Rate - Policy Changes Happening (last 5m)", + "type": "stat" + }, + { + "collapsed": false, + "datasource": null, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 77 + }, + "id": 44, + "panels": [], + "title": "Admission Requests", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 9, + "x": 0, + "y": 78 + }, + "hiddenSeries": false, + "id": 45, + "legend": { + "alignAsTable": true, + "avg": false, + "current": true, + "max": true, + "min": true, + "rightSide": false, + "show": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.0", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "$$hashKey": "object:1487", + "alias": "Change type: created", + "color": "#5794F2" + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "exemplar": true, + "expr": "sum(delta(kyverno_admission_requests_total{}[5m])) by (resource_request_operation)", + "interval": "", + "legendFormat": "Resource Operation: {{resource_request_operation}}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Admission Requests (by operation)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "transparent": true, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:218", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:219", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 9, + "x": 9, + "y": 78 + }, + "hiddenSeries": false, + "id": 46, + "legend": { + "alignAsTable": true, + "avg": false, + "current": true, + "max": true, + "min": true, + "rightSide": false, + "show": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.1.0", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "$$hashKey": "object:1487", + "alias": "Change type: created", + "color": "#5794F2" + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "exemplar": true, + "expr": "sum(delta(kyverno_admission_requests_total{}[5m])) by (resource_kind)", + "interval": "", + "legendFormat": "Resource Kind: {{resource_kind}}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Admission Requests (by resource kind)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "transparent": true, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:218", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:219", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "datasource": "${DS_PROMETHEUS_KYVERNO}", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "semi-dark-green", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 6, + "x": 18, + "y": 78 + }, + "id": 47, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.0", + "targets": [ + { + "exemplar": true, + "expr": "sum(delta(kyverno_admission_requests_total{}[24h]))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Total Admission Requests (Last 24 Hours)", + "type": "stat" + } + ], + "refresh": false, + "schemaVersion": 30, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "hide": 0, + "label": "datasource", + "name": "DS_PROMETHEUS_KYVERNO", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "type": "datasource" + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "Kyverno", + "folder": "Kyverno", + "uid": "Rg8lWBG7k", + "version": "1.4.3" +} \ No newline at end of file diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers.tpl b/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers.tpl index 2e2093552..5d577b3e7 100644 --- a/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers.tpl +++ b/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers.tpl @@ -113,16 +113,38 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} {{- end }} {{- end }} +{{- define "kyverno.testSecurityContext" -}} +{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }} +{{ toYaml (omit .Values.testSecurityContext "seccompProfile") }} +{{- else }} +{{ toYaml .Values.testSecurityContext }} +{{- end }} +{{- end }} + {{- define "kyverno.imagePullSecret" }} {{- printf "{\"auths\":{\"%s\":{\"auth\":\"%s\"}}}" .registry (printf "%s:%s" .username .password | b64enc) | b64enc }} {{- end }} +{{- define "kyverno.image" -}} + {{- if .image.registry -}} +{{ .image.registry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} + {{- else -}} +{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} + {{- end -}} +{{- end }} {{- define "kyverno.resourceFilters" -}} {{- $resourceFilters := .Values.config.resourceFilters }} {{- if .Values.excludeKyvernoNamespace }} {{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*,%s,*]" (include "kyverno.namespace" .)) }} {{- end }} +{{- range $exclude := .Values.resourceFiltersExcludeNamespaces }} + {{- range $filter := $resourceFilters }} + {{- if (contains (printf ",%s," $exclude) $filter) }} + {{- $resourceFilters = without $resourceFilters $filter }} + {{- end }} + {{- end }} +{{- end }} {{- tpl (join "" $resourceFilters) . }} {{- end }} @@ -136,4 +158,10 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} {{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }} {{- end }} {{- $newWebhook | toJson }} -{{- end }} \ No newline at end of file +{{- end }} + +{{- define "kyverno.crdAnnotations" -}} +{{- range $key, $value := .Values.crds.annotations }} +{{ $key }}: {{ $value | quote }} +{{- end }} +{{- end }} diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/aggregateroles.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/aggregateroles.yaml index 54927fb76..282e8e561 100644 --- a/scripts/helmcharts/toolings/charts/kyverno/templates/aggregateroles.yaml +++ b/scripts/helmcharts/toolings/charts/kyverno/templates/aggregateroles.yaml @@ -32,8 +32,8 @@ rules: - apiGroups: - wgpolicyk8s.io resources: - - policyreport - - clusterpolicyreport + - policyreports + - clusterpolicyreports verbs: - create - delete @@ -49,13 +49,15 @@ metadata: labels: {{ include "kyverno.labels" . | nindent 4 }} rbac.authorization.k8s.io/aggregate-to-admin: "true" app: kyverno - name: {{ template "kyverno.fullname" . }}:admin-reportchangerequest + name: {{ template "kyverno.fullname" . }}:admin-reports rules: - apiGroups: - - kyverno.io + - kyverno.io resources: - - reportchangerequests - - clusterreportchangerequests + - admissionreports + - clusteradmissionreports + - backgroundscanreports + - clusterbackgroundscanreports verbs: - create - delete @@ -85,5 +87,25 @@ rules: - patch - update - watch - +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: {{ include "kyverno.labels" . | nindent 4 }} + rbac.authorization.k8s.io/aggregate-to-admin: "true" + app: kyverno + name: {{ template "kyverno.fullname" . }}:admin-updaterequest +rules: +- apiGroups: + - kyverno.io + resources: + - updaterequests + verbs: + - create + - delete + - get + - list + - patch + - update + - watch {{- end }} diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/clusterrole.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/clusterrole.yaml index a7bdc6238..4c48b9681 100644 --- a/scripts/helmcharts/toolings/charts/kyverno/templates/clusterrole.yaml +++ b/scripts/helmcharts/toolings/charts/kyverno/templates/clusterrole.yaml @@ -1,6 +1,17 @@ {{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + name: {{ template "kyverno.fullname" . }} + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno +aggregationRule: + clusterRoleSelectors: + - matchLabels: + {{- include "kyverno.matchLabels" . | nindent 6 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: {{ template "kyverno.fullname" . }}:userinfo labels: {{ include "kyverno.labels" . | nindent 4 }} @@ -35,10 +46,10 @@ rules: - generaterequests/status - updaterequests - updaterequests/status - - reportchangerequests - - reportchangerequests/status - - clusterreportchangerequests - - clusterreportchangerequests/status + - admissionreports + - clusteradmissionreports + - backgroundscanreports + - clusterbackgroundscanreports verbs: - create - delete diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/clusterrolebinding.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/clusterrolebinding.yaml index e6fdc782f..2ef768436 100644 --- a/scripts/helmcharts/toolings/charts/kyverno/templates/clusterrolebinding.yaml +++ b/scripts/helmcharts/toolings/charts/kyverno/templates/clusterrolebinding.yaml @@ -1,92 +1,16 @@ -{{- if .Values.rbac.create }} +{{- if .Values.rbac.create -}} kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ template "kyverno.fullname" . }}:userinfo + name: {{ template "kyverno.fullname" . }} labels: {{ include "kyverno.labels" . | nindent 4 }} app: kyverno roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "kyverno.fullname" . }}:userinfo + name: {{ template "kyverno.fullname" . }} subjects: - kind: ServiceAccount name: {{ template "kyverno.serviceAccountName" . }} namespace: {{ template "kyverno.namespace" . }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno.fullname" . }}:policies - labels: {{ include "kyverno.labels" . | nindent 4 }} - app: kyverno -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "kyverno.fullname" . }}:policies -subjects: -- kind: ServiceAccount - name: {{ template "kyverno.serviceAccountName" . }} - namespace: {{ template "kyverno.namespace" . }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno.fullname" . }}:view - labels: {{ include "kyverno.labels" . | nindent 4 }} - app: kyverno -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "kyverno.fullname" . }}:view -subjects: -- kind: ServiceAccount - name: {{ template "kyverno.serviceAccountName" . }} - namespace: {{ template "kyverno.namespace" . }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno.fullname" . }}:generate - labels: {{ include "kyverno.labels" . | nindent 4 }} - app: kyverno -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "kyverno.fullname" . }}:generate -subjects: -- kind: ServiceAccount - name: {{ template "kyverno.serviceAccountName" . }} - namespace: {{ template "kyverno.namespace" . }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno.fullname" . }}:events - labels: {{ include "kyverno.labels" . | nindent 4 }} - app: kyverno -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "kyverno.fullname" . }}:events -subjects: -- kind: ServiceAccount - name: {{ template "kyverno.serviceAccountName" . }} - namespace: {{ template "kyverno.namespace" . }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno.fullname" . }}:webhook - labels: {{ include "kyverno.labels" . | nindent 4 }} - app: kyverno -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "kyverno.fullname" . }}:webhook -subjects: -- kind: ServiceAccount - name: {{ template "kyverno.serviceAccountName" . }} - namespace: {{ template "kyverno.namespace" . }} - -{{- end }} +{{- end -}} diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/configmap.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/configmap.yaml index 37c045e26..4aa280a4f 100644 --- a/scripts/helmcharts/toolings/charts/kyverno/templates/configmap.yaml +++ b/scripts/helmcharts/toolings/charts/kyverno/templates/configmap.yaml @@ -4,6 +4,10 @@ kind: ConfigMap metadata: labels: {{ include "kyverno.labels" . | nindent 4 }} app: kyverno + {{- with .Values.config.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} name: {{ template "kyverno.configMapName" . }} namespace: {{ template "kyverno.namespace" . }} data: diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/crds.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/crds.yaml index 7874a2c3a..ccb34655e 100644 --- a/scripts/helmcharts/toolings/charts/kyverno/templates/crds.yaml +++ b/scripts/helmcharts/toolings/charts/kyverno/templates/crds.yaml @@ -3,20 +3,1015 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf + controller-gen.kubebuilder.io/version: v0.10.0 config.kubernetes.io/index: '1' internal.config.kubernetes.io/index: '1' + {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }} creationTimestamp: null labels: app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.7.5 + app.kubernetes.io/version: '{{.Chart.AppVersion}}' + name: admissionreports.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: AdmissionReport + listKind: AdmissionReportList + plural: admissionreports + shortNames: + - admr + singular: admissionreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.ownerReferences[0].apiVersion + name: ApiVersion + priority: 1 + type: string + - jsonPath: .metadata.ownerReferences[0].kind + name: Kind + priority: 1 + type: string + - jsonPath: .metadata.ownerReferences[0].name + name: Subject + priority: 1 + type: string + - jsonPath: .spec.summary.pass + name: Pass + type: integer + - jsonPath: .spec.summary.fail + name: Fail + type: integer + - jsonPath: .spec.summary.warn + name: Warn + type: integer + - jsonPath: .spec.summary.error + name: Error + type: integer + - jsonPath: .spec.summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] + name: Hash + priority: 1 + type: string + - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate'] + name: AGGREGATE + priority: 1 + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + description: AdmissionReport is the Schema for the AdmissionReports API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + owner: + description: Owner is a reference to the report owner (e.g. a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + blockOwnerDeletion: + description: If true, AND if the owner has the "foregroundDeletion" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs "delete" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned. + type: boolean + controller: + description: If true, this reference points to the managing controller. + type: boolean + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + type: string + uid: + description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' + type: string + required: + - apiVersion + - kind + - name + - uid + type: object + x-kubernetes-map-type: atomic + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for the policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the policy rule + type: object + resourceSelector: + description: SubjectSelector is an optional label selector for checked Kubernetes resources. For example, a policy result may apply to all pods that match a label. Either a Subject or a SubjectSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resources: + description: Subjects is an optional reference to the checked Kubernetes resources + items: + description: "ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, \"must refer only to types A and B\" or \"UID not honored\" or \"name must be restricted\". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. \n Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 ." + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within the policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose requirements were not met + type: integer + type: object + required: + - owner + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + config.kubernetes.io/index: '2' + internal.config.kubernetes.io/index: '2' + {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }} + creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: '{{.Chart.AppVersion}}' + name: backgroundscanreports.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: BackgroundScanReport + listKind: BackgroundScanReportList + plural: backgroundscanreports + shortNames: + - bgscanr + singular: backgroundscanreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.ownerReferences[0].apiVersion + name: ApiVersion + priority: 1 + type: string + - jsonPath: .metadata.ownerReferences[0].kind + name: Kind + priority: 1 + type: string + - jsonPath: .metadata.ownerReferences[0].name + name: Subject + priority: 1 + type: string + - jsonPath: .spec.summary.pass + name: Pass + type: integer + - jsonPath: .spec.summary.fail + name: Fail + type: integer + - jsonPath: .spec.summary.warn + name: Warn + type: integer + - jsonPath: .spec.summary.error + name: Error + type: integer + - jsonPath: .spec.summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] + name: Hash + priority: 1 + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + description: BackgroundScanReport is the Schema for the BackgroundScanReports API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for the policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the policy rule + type: object + resourceSelector: + description: SubjectSelector is an optional label selector for checked Kubernetes resources. For example, a policy result may apply to all pods that match a label. Either a Subject or a SubjectSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resources: + description: Subjects is an optional reference to the checked Kubernetes resources + items: + description: "ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, \"must refer only to types A and B\" or \"UID not honored\" or \"name must be restricted\". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. \n Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 ." + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within the policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose requirements were not met + type: integer + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + config.kubernetes.io/index: '3' + internal.config.kubernetes.io/index: '3' + {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }} + creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: '{{.Chart.AppVersion}}' + name: clusteradmissionreports.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: ClusterAdmissionReport + listKind: ClusterAdmissionReportList + plural: clusteradmissionreports + shortNames: + - cadmr + singular: clusteradmissionreport + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.ownerReferences[0].apiVersion + name: ApiVersion + priority: 1 + type: string + - jsonPath: .metadata.ownerReferences[0].kind + name: Kind + priority: 1 + type: string + - jsonPath: .metadata.ownerReferences[0].name + name: Subject + priority: 1 + type: string + - jsonPath: .spec.summary.pass + name: Pass + type: integer + - jsonPath: .spec.summary.fail + name: Fail + type: integer + - jsonPath: .spec.summary.warn + name: Warn + type: integer + - jsonPath: .spec.summary.error + name: Error + type: integer + - jsonPath: .spec.summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] + name: Hash + priority: 1 + type: string + - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate'] + name: AGGREGATE + priority: 1 + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + description: ClusterAdmissionReport is the Schema for the ClusterAdmissionReports API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + owner: + description: Owner is a reference to the report owner (e.g. a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + blockOwnerDeletion: + description: If true, AND if the owner has the "foregroundDeletion" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs "delete" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned. + type: boolean + controller: + description: If true, this reference points to the managing controller. + type: boolean + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + type: string + uid: + description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' + type: string + required: + - apiVersion + - kind + - name + - uid + type: object + x-kubernetes-map-type: atomic + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for the policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the policy rule + type: object + resourceSelector: + description: SubjectSelector is an optional label selector for checked Kubernetes resources. For example, a policy result may apply to all pods that match a label. Either a Subject or a SubjectSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resources: + description: Subjects is an optional reference to the checked Kubernetes resources + items: + description: "ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, \"must refer only to types A and B\" or \"UID not honored\" or \"name must be restricted\". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. \n Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 ." + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within the policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose requirements were not met + type: integer + type: object + required: + - owner + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + config.kubernetes.io/index: '4' + internal.config.kubernetes.io/index: '4' + {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }} + creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: '{{.Chart.AppVersion}}' + name: clusterbackgroundscanreports.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: ClusterBackgroundScanReport + listKind: ClusterBackgroundScanReportList + plural: clusterbackgroundscanreports + shortNames: + - cbgscanr + singular: clusterbackgroundscanreport + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.ownerReferences[0].apiVersion + name: ApiVersion + priority: 1 + type: string + - jsonPath: .metadata.ownerReferences[0].kind + name: Kind + priority: 1 + type: string + - jsonPath: .metadata.ownerReferences[0].name + name: Subject + priority: 1 + type: string + - jsonPath: .spec.summary.pass + name: Pass + type: integer + - jsonPath: .spec.summary.fail + name: Fail + type: integer + - jsonPath: .spec.summary.warn + name: Warn + type: integer + - jsonPath: .spec.summary.error + name: Error + type: integer + - jsonPath: .spec.summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] + name: Hash + priority: 1 + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + description: ClusterBackgroundScanReport is the Schema for the ClusterBackgroundScanReports API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for the policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the policy rule + type: object + resourceSelector: + description: SubjectSelector is an optional label selector for checked Kubernetes resources. For example, a policy result may apply to all pods that match a label. Either a Subject or a SubjectSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resources: + description: Subjects is an optional reference to the checked Kubernetes resources + items: + description: "ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, \"must refer only to types A and B\" or \"UID not honored\" or \"name must be restricted\". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. \n Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 ." + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within the policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose requirements were not met + type: integer + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + config.kubernetes.io/index: '5' + internal.config.kubernetes.io/index: '5' + {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }} + creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: '{{.Chart.AppVersion}}' name: clusterpolicies.kyverno.io spec: group: kyverno.io names: + categories: + - kyverno kind: ClusterPolicy listKind: ClusterPolicyList plural: clusterpolicies @@ -28,9 +1023,9 @@ spec: - additionalPrinterColumns: - jsonPath: .spec.background name: Background - type: string + type: boolean - jsonPath: .spec.validationFailureAction - name: Action + name: Validate Action type: string - jsonPath: .spec.failurePolicy name: Failure Policy @@ -38,7 +1033,7 @@ spec: type: string - jsonPath: .status.ready name: Ready - type: string + type: boolean name: v1 schema: openAPIV3Schema: @@ -55,17 +1050,24 @@ spec: spec: description: Spec declares policy behaviors. properties: + applyRules: + description: ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to `One` processing stops after a rule has been applied i.e. the rule matches and results in a pass, fail, or error. When set to `All` all rules in the policy are processed. The default is `All`. + enum: + - All + - One + type: string background: + default: true description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unrecognized errors from the admission endpoint are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail. + description: FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExistingOnPolicyUpdate: - description: GenerateExistingOnPolicyUpdate controls wether to trigger generate rule in existing resources If is set to "true" generate rule will be triggered and applied to existing matched resources. Defaults to "false" if not specified. + description: GenerateExistingOnPolicyUpdate controls whether to trigger generate rule in existing resources If is set to "true" generate rule will be triggered and applied to existing matched resources. Defaults to "false" if not specified. type: boolean mutateExistingOnPolicyUpdate: description: MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. Default value is "false". @@ -534,6 +1536,49 @@ spec: description: Namespace specifies source resource namespace. type: string type: object + cloneList: + description: CloneList specifies the list of source resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: Selector is a label selector. Label keys and values in `matchLabels`. wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object data: description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true @@ -1306,12 +2351,200 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object type: array + manifests: + description: Manifest specifies conditions for manifest verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: Repository is an optional alternate OCI repository to use for resource bundle reference. The repository can be overridden per Attestor or Attestation. + type: string + type: object message: description: Message specifies a custom message to be displayed on failure. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: PodSecurity applies exemptions for Kubernetes Pod Security admission by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod Security Standard controls to be excluded. + properties: + controlName: + description: 'ControlName specifies the name of the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: 'Images selects matching containers and applies the container level PSS. Each image is the image name consisting of the registry address, repository, image, and tag. Empty list matches no containers, PSS checks are applied at the pod level only. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: Level defines the Pod Security Standard level to be applied to workloads. Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: Version defines the Pod Security Standard versions that Kubernetes supports. Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - latest + type: string + type: object type: object verifyImages: description: VerifyImages is used to verify image signatures and mutate them to add a digest @@ -1333,6 +2566,95 @@ spec: items: description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type. items: @@ -1409,6 +2731,8 @@ spec: predicateType: description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -1540,10 +2864,11 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. + description: SchemaValidation skips validation checks for policies as well as patched resources. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: - description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". + default: audit + description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. The default value is "audit". enum: - audit - enforce @@ -1572,10 +2897,1805 @@ spec: status: description: Status contains policy runtime data. properties: + autogen: + description: Autogen contains autogen status information + properties: + rules: + description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers + items: + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. + properties: + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: Selector is a label selector. Label keys and values in `matchLabels`. wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. + type: boolean + type: object + imageExtractors: + additionalProperties: + items: + properties: + key: + description: Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. + type: string + name: + description: Name is the entry the image will be available under 'images.' in the context. If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: Path is the path to the object containing the image field in a custom resource. It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: Value is an optional name of the field within 'path' that points to the image URI. This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. This config is only valid for verifyImages rules. + type: object + match: + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + items: + description: ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + properties: + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + list: + description: List specifies a JMESPath expression that results in one or more elements to which the validation logic is applied. + type: string + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: 'AnyAllConditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be mutated. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: 'Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. A direct list of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + deny: + description: Deny defines conditions used to pass or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + items: + description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. When set to "false", "request.object" is used as the validation scope within the foreach block to allow referencing other elements in the subtree. + type: boolean + list: + description: List specifies a JMESPath expression that results in one or more elements to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'AnyAllConditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: Repository is an optional alternate OCI repository to use for resource bundle reference. The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: PodSecurity applies exemptions for Kubernetes Pod Security admission by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod Security Standard controls to be excluded. + properties: + controlName: + description: 'ControlName specifies the name of the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: 'Images selects matching containers and applies the container level PSS. Each image is the image name consisting of the registry address, repository, image, and tag. Empty list matches no containers, PSS checks are applied at the pod level only. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: Level defines the Pod Security Standard level to be applied to workloads. Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: Version defines the Pod Security Standard versions that Kubernetes supports. Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures and mutate them to add a digest + items: + description: ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. Deprecated. Use annotations per Attestor instead. + type: object + attestations: + description: Attestations are optional checks for signed in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statement declarations. + items: + description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. AnyConditions get fulfilled when at least one of its sub-conditions passes. AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: PredicateType defines the type of Predicate contained within the Statement. + type: string + required: + - predicateType + type: object + type: array + attestors: + description: Attestors specified the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + image: + description: 'Image is the image name consisting of the registry address, repository, image, and tag. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. Deprecated. Use ImageReferences instead.' + type: string + imageReferences: + description: 'ImageReferences is a list of matching image reference patterns. At least one pattern in the list must match the image for the rule to apply. Each image reference consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + issuer: + description: Issuer is the certificate issuer used for keyless signing. Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Key is the PEM encoded public key that the image or attestation is signed with. Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: MutateDigest enables replacement of image tags with digests. Defaults to true. + type: boolean + repository: + description: Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. If specified Repository will override the default OCI image repository configured for the installation. The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified i.e. have matched passed a signature or attestation check. + type: boolean + roots: + description: Roots is the PEM encoded Root certificate chain used for keyless signing Deprecated. Use KeylessAttestor instead. + type: string + subject: + description: Subject is the identity used for keyless signing, for example an email address Deprecated. Use KeylessAttestor instead. + type: string + verifyDigest: + default: true + description: VerifyDigest validates that images have a digest. + type: boolean + type: object + type: array + type: object + type: array + type: object conditions: description: Conditions is a list of conditions that apply to the policy items: - description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. @@ -1629,21 +4749,3604 @@ spec: storage: true subresources: status: {} + - additionalPrinterColumns: + - jsonPath: .spec.background + name: Background + type: boolean + - jsonPath: .spec.validationFailureAction + name: Validate Action + type: string + - jsonPath: .spec.failurePolicy + name: Failure Policy + priority: 1 + type: string + - jsonPath: .status.ready + name: Ready + type: boolean + name: v2beta1 + schema: + openAPIV3Schema: + description: ClusterPolicy declares validation, mutation, and generation behaviors for matching resources. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + applyRules: + description: ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to `One` processing stops after a rule has been applied i.e. the rule matches and results in a pass, fail, or error. When set to `All` all rules in the policy are processed. The default is `All`. + enum: + - All + - One + type: string + background: + default: true + description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). + type: boolean + failurePolicy: + description: FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + generateExistingOnPolicyUpdate: + description: GenerateExistingOnPolicyUpdate controls whether to trigger generate rule in existing resources If is set to "true" generate rule will be triggered and applied to existing matched resources. Defaults to "false" if not specified. + type: boolean + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. Default value is "false". + type: boolean + rules: + description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. + items: + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. + properties: + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: Selector is a label selector. Label keys and values in `matchLabels`. wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. + type: boolean + type: object + imageExtractors: + additionalProperties: + items: + properties: + key: + description: Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. + type: string + name: + description: Name is the entry the image will be available under 'images.' in the context. If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: Path is the path to the object containing the image field in a custom resource. It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: Value is an optional name of the field within 'path' that points to the image URI. This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. This config is only valid for verifyImages rules. + type: object + match: + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + items: + description: ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + properties: + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + list: + description: List specifies a JMESPath expression that results in one or more elements to which the validation logic is applied. + type: string + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: 'AnyAllConditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be mutated. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: 'Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. A direct list of conditions (without `any` or `all` statements is supported for backwards compatibility but See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + deny: + description: Deny defines conditions used to pass or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: object + foreach: + description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + items: + description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. When set to "false", "request.object" is used as the validation scope within the foreach block to allow referencing other elements in the subtree. + type: boolean + list: + description: List specifies a JMESPath expression that results in one or more elements to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'AnyAllConditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: Repository is an optional alternate OCI repository to use for resource bundle reference. The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: PodSecurity applies exemptions for Kubernetes Pod Security admission by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod Security Standard controls to be excluded. + properties: + controlName: + description: 'ControlName specifies the name of the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: 'Images selects matching containers and applies the container level PSS. Each image is the image name consisting of the registry address, repository, image, and tag. Empty list matches no containers, PSS checks are applied at the pod level only. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: Level defines the Pod Security Standard level to be applied to workloads. Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: Version defines the Pod Security Standard versions that Kubernetes supports. Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures and mutate them to add a digest + items: + description: ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration. + properties: + attestations: + description: Attestations are optional checks for signed in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statement declarations. + items: + description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. AnyConditions get fulfilled when at least one of its sub-conditions passes. AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: PredicateType defines the type of Predicate contained within the Statement. + type: string + required: + - predicateType + type: object + type: array + attestors: + description: Attestors specified the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + imageReferences: + description: 'ImageReferences is a list of matching image reference patterns. At least one pattern in the list must match the image for the rule to apply. Each image reference consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + mutateDigest: + default: true + description: MutateDigest enables replacement of image tags with digests. Defaults to true. + type: boolean + repository: + description: Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. If specified Repository will override the default OCI image repository configured for the installation. The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified i.e. have matched passed a signature or attestation check. + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images have a digest. + type: boolean + type: object + type: array + type: object + type: array + schemaValidation: + description: SchemaValidation skips validation checks for policies as well as patched resources. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. + type: boolean + validationFailureAction: + default: audit + description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. The default value is "audit". + enum: + - audit + - enforce + type: string + validationFailureActionOverrides: + description: ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy validation failure action + enum: + - audit + - enforce + type: string + namespaces: + items: + type: string + type: array + type: object + type: array + webhookTimeoutSeconds: + description: WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. After the configured time expires, the admission request may fail, or may simply ignore the policy results, based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + status: + description: Status contains policy runtime data. + properties: + autogen: + description: Autogen contains autogen status information + properties: + rules: + description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers + items: + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. + properties: + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: Selector is a label selector. Label keys and values in `matchLabels`. wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. + type: boolean + type: object + imageExtractors: + additionalProperties: + items: + properties: + key: + description: Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. + type: string + name: + description: Name is the entry the image will be available under 'images.' in the context. If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: Path is the path to the object containing the image field in a custom resource. It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: Value is an optional name of the field within 'path' that points to the image URI. This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. This config is only valid for verifyImages rules. + type: object + match: + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + items: + description: ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + properties: + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + list: + description: List specifies a JMESPath expression that results in one or more elements to which the validation logic is applied. + type: string + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: 'AnyAllConditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be mutated. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: 'Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. A direct list of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + deny: + description: Deny defines conditions used to pass or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + items: + description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. When set to "false", "request.object" is used as the validation scope within the foreach block to allow referencing other elements in the subtree. + type: boolean + list: + description: List specifies a JMESPath expression that results in one or more elements to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'AnyAllConditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: Repository is an optional alternate OCI repository to use for resource bundle reference. The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: PodSecurity applies exemptions for Kubernetes Pod Security admission by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod Security Standard controls to be excluded. + properties: + controlName: + description: 'ControlName specifies the name of the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: 'Images selects matching containers and applies the container level PSS. Each image is the image name consisting of the registry address, repository, image, and tag. Empty list matches no containers, PSS checks are applied at the pod level only. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: Level defines the Pod Security Standard level to be applied to workloads. Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: Version defines the Pod Security Standard versions that Kubernetes supports. Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures and mutate them to add a digest + items: + description: ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. Deprecated. Use annotations per Attestor instead. + type: object + attestations: + description: Attestations are optional checks for signed in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statement declarations. + items: + description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. AnyConditions get fulfilled when at least one of its sub-conditions passes. AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: PredicateType defines the type of Predicate contained within the Statement. + type: string + required: + - predicateType + type: object + type: array + attestors: + description: Attestors specified the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + image: + description: 'Image is the image name consisting of the registry address, repository, image, and tag. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. Deprecated. Use ImageReferences instead.' + type: string + imageReferences: + description: 'ImageReferences is a list of matching image reference patterns. At least one pattern in the list must match the image for the rule to apply. Each image reference consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + issuer: + description: Issuer is the certificate issuer used for keyless signing. Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Key is the PEM encoded public key that the image or attestation is signed with. Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: MutateDigest enables replacement of image tags with digests. Defaults to true. + type: boolean + repository: + description: Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. If specified Repository will override the default OCI image repository configured for the installation. The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified i.e. have matched passed a signature or attestation check. + type: boolean + roots: + description: Roots is the PEM encoded Root certificate chain used for keyless signing Deprecated. Use KeylessAttestor instead. + type: string + subject: + description: Subject is the identity used for keyless signing, for example an email address Deprecated. Use KeylessAttestor instead. + type: string + verifyDigest: + default: true + description: VerifyDigest validates that images have a digest. + type: boolean + type: object + type: array + type: object + type: array + type: object + conditions: + description: Conditions is a list of conditions that apply to the policy + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + description: Ready indicates if the policy is ready to serve the admission request. Deprecated in favor of Conditions + type: boolean + required: + - ready + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf - config.kubernetes.io/index: '2' - internal.config.kubernetes.io/index: '2' + controller-gen.kubebuilder.io/version: v0.10.0 + config.kubernetes.io/index: '6' + internal.config.kubernetes.io/index: '6' + {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }} creationTimestamp: null labels: app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.7.5 + app.kubernetes.io/version: '{{.Chart.AppVersion}}' name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -1705,10 +8408,10 @@ spec: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the policy rule + description: Description is a short user friendly message for the policy rule type: string policy: - description: Policy is the name of the policy + description: Policy is the name or identifier of the policy type: string properties: additionalProperties: @@ -1716,7 +8419,7 @@ spec: description: Properties provides additional information for the policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: SubjectSelector is an optional label selector for checked Kubernetes resources. For example, a policy result may apply to all pods that match a label. Either a Subject or a SubjectSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -1747,9 +8450,9 @@ spec: type: object x-kubernetes-map-type: atomic resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Subjects is an optional reference to the checked Kubernetes resources items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + description: "ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, \"must refer only to types A and B\" or \"UID not honored\" or \"name must be restricted\". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. \n Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 ." properties: apiVersion: description: API version of the referent. @@ -1785,17 +8488,19 @@ spec: - skip type: string rule: - description: Rule is the name of the policy rule + description: Rule is the name or identifier of the rule within the policy type: string scored: - description: Scored indicates if this policy rule is scored + description: Scored indicates if this result is scored type: boolean severity: - description: Severity indicates policy severity + description: Severity indicates policy check result criticality enum: + - critical - high - low - medium + - info type: string source: description: Source is an identifier for the policy engine that manages this report @@ -1892,7 +8597,7 @@ spec: description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of non-scored policies whose requirements were not met type: integer type: object type: object @@ -1904,286 +8609,17 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf - config.kubernetes.io/index: '3' - internal.config.kubernetes.io/index: '3' + controller-gen.kubebuilder.io/version: v0.10.0 + config.kubernetes.io/index: '7' + internal.config.kubernetes.io/index: '7' + {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }} creationTimestamp: null labels: app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.7.5 - name: clusterreportchangerequests.kyverno.io -spec: - group: kyverno.io - names: - kind: ClusterReportChangeRequest - listKind: ClusterReportChangeRequestList - plural: clusterreportchangerequests - shortNames: - - crcr - singular: clusterreportchangerequest - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .scope.kind - name: Kind - priority: 1 - type: string - - jsonPath: .scope.name - name: Name - priority: 1 - type: string - - jsonPath: .summary.pass - name: Pass - type: integer - - jsonPath: .summary.fail - name: Fail - type: integer - - jsonPath: .summary.warn - name: Warn - type: integer - - jsonPath: .summary.error - name: Error - type: integer - - jsonPath: .summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Message is a short user friendly description of the policy rule - type: string - policy: - description: Policy is the name of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for the policy rule - type: object - resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Resources is an optional reference to the resource checked by the policy and rule - items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name of the policy rule - type: string - scored: - description: Scored indicates if this policy rule is scored - type: boolean - severity: - description: Severity indicates policy severity - enum: - - high - - low - - medium - type: string - source: - description: Source is an identifier for the policy engine that manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements were met - type: integer - skip: - description: Skip indicates the count of policies that were not selected for evaluation - type: integer - warn: - description: Warn provides the count of unscored policies whose requirements were not met - type: integer - type: object - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf - config.kubernetes.io/index: '4' - internal.config.kubernetes.io/index: '4' - creationTimestamp: null - labels: - app.kubernetes.io/component: kyverno - app.kubernetes.io/instance: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.7.5 + app.kubernetes.io/version: '{{.Chart.AppVersion}}' name: generaterequests.kyverno.io spec: group: kyverno.io @@ -2349,20 +8785,24 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf - config.kubernetes.io/index: '5' - internal.config.kubernetes.io/index: '5' + controller-gen.kubebuilder.io/version: v0.10.0 + config.kubernetes.io/index: '8' + internal.config.kubernetes.io/index: '8' + {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }} creationTimestamp: null labels: app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.7.5 + app.kubernetes.io/version: '{{.Chart.AppVersion}}' name: policies.kyverno.io spec: group: kyverno.io names: + categories: + - kyverno + - all kind: Policy listKind: PolicyList plural: policies @@ -2374,9 +8814,9 @@ spec: - additionalPrinterColumns: - jsonPath: .spec.background name: Background - type: string + type: boolean - jsonPath: .spec.validationFailureAction - name: Action + name: Validate Action type: string - jsonPath: .spec.failurePolicy name: Failure Policy @@ -2384,7 +8824,7 @@ spec: type: string - jsonPath: .status.ready name: Ready - type: string + type: boolean name: v1 schema: openAPIV3Schema: @@ -2401,17 +8841,24 @@ spec: spec: description: Spec defines policy behaviors and contains one or more rules. properties: + applyRules: + description: ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to `One` processing stops after a rule has been applied i.e. the rule matches and results in a pass, fail, or error. When set to `All` all rules in the policy are processed. The default is `All`. + enum: + - All + - One + type: string background: + default: true description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unrecognized errors from the admission endpoint are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail. + description: FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExistingOnPolicyUpdate: - description: GenerateExistingOnPolicyUpdate controls wether to trigger generate rule in existing resources If is set to "true" generate rule will be triggered and applied to existing matched resources. Defaults to "false" if not specified. + description: GenerateExistingOnPolicyUpdate controls whether to trigger generate rule in existing resources If is set to "true" generate rule will be triggered and applied to existing matched resources. Defaults to "false" if not specified. type: boolean mutateExistingOnPolicyUpdate: description: MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. Default value is "false". @@ -2880,6 +9327,49 @@ spec: description: Namespace specifies source resource namespace. type: string type: object + cloneList: + description: CloneList specifies the list of source resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: Selector is a label selector. Label keys and values in `matchLabels`. wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object data: description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true @@ -3652,12 +10142,200 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object type: array + manifests: + description: Manifest specifies conditions for manifest verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: Repository is an optional alternate OCI repository to use for resource bundle reference. The repository can be overridden per Attestor or Attestation. + type: string + type: object message: description: Message specifies a custom message to be displayed on failure. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: PodSecurity applies exemptions for Kubernetes Pod Security admission by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod Security Standard controls to be excluded. + properties: + controlName: + description: 'ControlName specifies the name of the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: 'Images selects matching containers and applies the container level PSS. Each image is the image name consisting of the registry address, repository, image, and tag. Empty list matches no containers, PSS checks are applied at the pod level only. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: Level defines the Pod Security Standard level to be applied to workloads. Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: Version defines the Pod Security Standard versions that Kubernetes supports. Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - latest + type: string + type: object type: object verifyImages: description: VerifyImages is used to verify image signatures and mutate them to add a digest @@ -3679,6 +10357,95 @@ spec: items: description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type. items: @@ -3755,6 +10522,8 @@ spec: predicateType: description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -3886,10 +10655,11 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. + description: SchemaValidation skips validation checks for policies as well as patched resources. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: - description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". + default: audit + description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. The default value is "audit". enum: - audit - enforce @@ -3918,10 +10688,1805 @@ spec: status: description: Status contains policy runtime information. Deprecated. Policy metrics are available via the metrics endpoint properties: + autogen: + description: Autogen contains autogen status information + properties: + rules: + description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers + items: + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. + properties: + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: Selector is a label selector. Label keys and values in `matchLabels`. wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. + type: boolean + type: object + imageExtractors: + additionalProperties: + items: + properties: + key: + description: Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. + type: string + name: + description: Name is the entry the image will be available under 'images.' in the context. If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: Path is the path to the object containing the image field in a custom resource. It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: Value is an optional name of the field within 'path' that points to the image URI. This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. This config is only valid for verifyImages rules. + type: object + match: + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + items: + description: ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + properties: + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + list: + description: List specifies a JMESPath expression that results in one or more elements to which the validation logic is applied. + type: string + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: 'AnyAllConditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be mutated. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: 'Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. A direct list of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + deny: + description: Deny defines conditions used to pass or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + items: + description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. When set to "false", "request.object" is used as the validation scope within the foreach block to allow referencing other elements in the subtree. + type: boolean + list: + description: List specifies a JMESPath expression that results in one or more elements to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'AnyAllConditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: Repository is an optional alternate OCI repository to use for resource bundle reference. The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: PodSecurity applies exemptions for Kubernetes Pod Security admission by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod Security Standard controls to be excluded. + properties: + controlName: + description: 'ControlName specifies the name of the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: 'Images selects matching containers and applies the container level PSS. Each image is the image name consisting of the registry address, repository, image, and tag. Empty list matches no containers, PSS checks are applied at the pod level only. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: Level defines the Pod Security Standard level to be applied to workloads. Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: Version defines the Pod Security Standard versions that Kubernetes supports. Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures and mutate them to add a digest + items: + description: ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. Deprecated. Use annotations per Attestor instead. + type: object + attestations: + description: Attestations are optional checks for signed in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statement declarations. + items: + description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. AnyConditions get fulfilled when at least one of its sub-conditions passes. AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: PredicateType defines the type of Predicate contained within the Statement. + type: string + required: + - predicateType + type: object + type: array + attestors: + description: Attestors specified the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + image: + description: 'Image is the image name consisting of the registry address, repository, image, and tag. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. Deprecated. Use ImageReferences instead.' + type: string + imageReferences: + description: 'ImageReferences is a list of matching image reference patterns. At least one pattern in the list must match the image for the rule to apply. Each image reference consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + issuer: + description: Issuer is the certificate issuer used for keyless signing. Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Key is the PEM encoded public key that the image or attestation is signed with. Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: MutateDigest enables replacement of image tags with digests. Defaults to true. + type: boolean + repository: + description: Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. If specified Repository will override the default OCI image repository configured for the installation. The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified i.e. have matched passed a signature or attestation check. + type: boolean + roots: + description: Roots is the PEM encoded Root certificate chain used for keyless signing Deprecated. Use KeylessAttestor instead. + type: string + subject: + description: Subject is the identity used for keyless signing, for example an email address Deprecated. Use KeylessAttestor instead. + type: string + verifyDigest: + default: true + description: VerifyDigest validates that images have a digest. + type: boolean + type: object + type: array + type: object + type: array + type: object conditions: description: Conditions is a list of conditions that apply to the policy items: - description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. @@ -3975,21 +12540,3604 @@ spec: storage: true subresources: status: {} + - additionalPrinterColumns: + - jsonPath: .spec.background + name: Background + type: boolean + - jsonPath: .spec.validationFailureAction + name: Validate Action + type: string + - jsonPath: .spec.failurePolicy + name: Failure Policy + priority: 1 + type: string + - jsonPath: .status.ready + name: Ready + type: boolean + name: v2beta1 + schema: + openAPIV3Schema: + description: 'Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines policy behaviors and contains one or more rules. + properties: + applyRules: + description: ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to `One` processing stops after a rule has been applied i.e. the rule matches and results in a pass, fail, or error. When set to `All` all rules in the policy are processed. The default is `All`. + enum: + - All + - One + type: string + background: + default: true + description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). + type: boolean + failurePolicy: + description: FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + generateExistingOnPolicyUpdate: + description: GenerateExistingOnPolicyUpdate controls whether to trigger generate rule in existing resources If is set to "true" generate rule will be triggered and applied to existing matched resources. Defaults to "false" if not specified. + type: boolean + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. Default value is "false". + type: boolean + rules: + description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. + items: + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. + properties: + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: Selector is a label selector. Label keys and values in `matchLabels`. wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. + type: boolean + type: object + imageExtractors: + additionalProperties: + items: + properties: + key: + description: Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. + type: string + name: + description: Name is the entry the image will be available under 'images.' in the context. If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: Path is the path to the object containing the image field in a custom resource. It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: Value is an optional name of the field within 'path' that points to the image URI. This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. This config is only valid for verifyImages rules. + type: object + match: + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + items: + description: ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + properties: + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + list: + description: List specifies a JMESPath expression that results in one or more elements to which the validation logic is applied. + type: string + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: 'AnyAllConditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be mutated. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: 'Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. A direct list of conditions (without `any` or `all` statements is supported for backwards compatibility but See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + deny: + description: Deny defines conditions used to pass or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: object + foreach: + description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + items: + description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. When set to "false", "request.object" is used as the validation scope within the foreach block to allow referencing other elements in the subtree. + type: boolean + list: + description: List specifies a JMESPath expression that results in one or more elements to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'AnyAllConditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: Repository is an optional alternate OCI repository to use for resource bundle reference. The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: PodSecurity applies exemptions for Kubernetes Pod Security admission by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod Security Standard controls to be excluded. + properties: + controlName: + description: 'ControlName specifies the name of the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: 'Images selects matching containers and applies the container level PSS. Each image is the image name consisting of the registry address, repository, image, and tag. Empty list matches no containers, PSS checks are applied at the pod level only. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: Level defines the Pod Security Standard level to be applied to workloads. Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: Version defines the Pod Security Standard versions that Kubernetes supports. Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures and mutate them to add a digest + items: + description: ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration. + properties: + attestations: + description: Attestations are optional checks for signed in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statement declarations. + items: + description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. AnyConditions get fulfilled when at least one of its sub-conditions passes. AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: PredicateType defines the type of Predicate contained within the Statement. + type: string + required: + - predicateType + type: object + type: array + attestors: + description: Attestors specified the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + imageReferences: + description: 'ImageReferences is a list of matching image reference patterns. At least one pattern in the list must match the image for the rule to apply. Each image reference consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + mutateDigest: + default: true + description: MutateDigest enables replacement of image tags with digests. Defaults to true. + type: boolean + repository: + description: Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. If specified Repository will override the default OCI image repository configured for the installation. The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified i.e. have matched passed a signature or attestation check. + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images have a digest. + type: boolean + type: object + type: array + type: object + type: array + schemaValidation: + description: SchemaValidation skips validation checks for policies as well as patched resources. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. + type: boolean + validationFailureAction: + default: audit + description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. The default value is "audit". + enum: + - audit + - enforce + type: string + validationFailureActionOverrides: + description: ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy validation failure action + enum: + - audit + - enforce + type: string + namespaces: + items: + type: string + type: array + type: object + type: array + webhookTimeoutSeconds: + description: WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. After the configured time expires, the admission request may fail, or may simply ignore the policy results, based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + status: + description: Status contains policy runtime data. + properties: + autogen: + description: Autogen contains autogen status information + properties: + rules: + description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers + items: + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. + properties: + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: Selector is a label selector. Label keys and values in `matchLabels`. wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. + type: boolean + type: object + imageExtractors: + additionalProperties: + items: + properties: + key: + description: Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. + type: string + name: + description: Name is the entry the image will be available under 'images.' in the context. If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: Path is the path to the object containing the image field in a custom resource. It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: Value is an optional name of the field within 'path' that points to the image URI. This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. This config is only valid for verifyImages rules. + type: object + match: + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + items: + description: ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + properties: + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + list: + description: List specifies a JMESPath expression that results in one or more elements to which the validation logic is applied. + type: string + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: 'AnyAllConditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be mutated. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: 'Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. A direct list of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + deny: + description: Deny defines conditions used to pass or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + items: + description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. When set to "false", "request.object" is used as the validation scope within the foreach block to allow referencing other elements in the subtree. + type: boolean + list: + description: List specifies a JMESPath expression that results in one or more elements to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'AnyAllConditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: Repository is an optional alternate OCI repository to use for resource bundle reference. The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: PodSecurity applies exemptions for Kubernetes Pod Security admission by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod Security Standard controls to be excluded. + properties: + controlName: + description: 'ControlName specifies the name of the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: 'Images selects matching containers and applies the container level PSS. Each image is the image name consisting of the registry address, repository, image, and tag. Empty list matches no containers, PSS checks are applied at the pod level only. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: Level defines the Pod Security Standard level to be applied to workloads. Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: Version defines the Pod Security Standard versions that Kubernetes supports. Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures and mutate them to add a digest + items: + description: ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. Deprecated. Use annotations per Attestor instead. + type: object + attestations: + description: Attestations are optional checks for signed in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statement declarations. + items: + description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. AnyConditions get fulfilled when at least one of its sub-conditions passes. AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: PredicateType defines the type of Predicate contained within the Statement. + type: string + required: + - predicateType + type: object + type: array + attestors: + description: Attestors specified the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + image: + description: 'Image is the image name consisting of the registry address, repository, image, and tag. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. Deprecated. Use ImageReferences instead.' + type: string + imageReferences: + description: 'ImageReferences is a list of matching image reference patterns. At least one pattern in the list must match the image for the rule to apply. Each image reference consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + issuer: + description: Issuer is the certificate issuer used for keyless signing. Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Key is the PEM encoded public key that the image or attestation is signed with. Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: MutateDigest enables replacement of image tags with digests. Defaults to true. + type: boolean + repository: + description: Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. If specified Repository will override the default OCI image repository configured for the installation. The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified i.e. have matched passed a signature or attestation check. + type: boolean + roots: + description: Roots is the PEM encoded Root certificate chain used for keyless signing Deprecated. Use KeylessAttestor instead. + type: string + subject: + description: Subject is the identity used for keyless signing, for example an email address Deprecated. Use KeylessAttestor instead. + type: string + verifyDigest: + default: true + description: VerifyDigest validates that images have a digest. + type: boolean + type: object + type: array + type: object + type: array + type: object + conditions: + description: Conditions is a list of conditions that apply to the policy + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + description: Ready indicates if the policy is ready to serve the admission request. Deprecated in favor of Conditions + type: boolean + required: + - ready + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf - config.kubernetes.io/index: '6' - internal.config.kubernetes.io/index: '6' + controller-gen.kubebuilder.io/version: v0.10.0 + config.kubernetes.io/index: '9' + internal.config.kubernetes.io/index: '9' + {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }} creationTimestamp: null labels: app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.7.5 + app.kubernetes.io/version: '{{.Chart.AppVersion}}' name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -4051,10 +16199,10 @@ spec: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the policy rule + description: Description is a short user friendly message for the policy rule type: string policy: - description: Policy is the name of the policy + description: Policy is the name or identifier of the policy type: string properties: additionalProperties: @@ -4062,7 +16210,7 @@ spec: description: Properties provides additional information for the policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: SubjectSelector is an optional label selector for checked Kubernetes resources. For example, a policy result may apply to all pods that match a label. Either a Subject or a SubjectSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -4093,9 +16241,9 @@ spec: type: object x-kubernetes-map-type: atomic resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Subjects is an optional reference to the checked Kubernetes resources items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + description: "ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, \"must refer only to types A and B\" or \"UID not honored\" or \"name must be restricted\". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. \n Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 ." properties: apiVersion: description: API version of the referent. @@ -4131,17 +16279,19 @@ spec: - skip type: string rule: - description: Rule is the name of the policy rule + description: Rule is the name or identifier of the rule within the policy type: string scored: - description: Scored indicates if this policy rule is scored + description: Scored indicates if this result is scored type: boolean severity: - description: Severity indicates policy severity + description: Severity indicates policy check result criticality enum: + - critical - high - low - medium + - info type: string source: description: Source is an identifier for the policy engine that manages this report @@ -4238,7 +16388,7 @@ spec: description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of non-scored policies whose requirements were not met type: integer type: object type: object @@ -4250,290 +16400,23 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf - config.kubernetes.io/index: '7' - internal.config.kubernetes.io/index: '7' + controller-gen.kubebuilder.io/version: v0.10.0 + config.kubernetes.io/index: '10' + internal.config.kubernetes.io/index: '10' + {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }} creationTimestamp: null labels: app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.7.5 - name: reportchangerequests.kyverno.io -spec: - group: kyverno.io - names: - kind: ReportChangeRequest - listKind: ReportChangeRequestList - plural: reportchangerequests - shortNames: - - rcr - singular: reportchangerequest - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .scope.kind - name: Kind - priority: 1 - type: string - - jsonPath: .scope.name - name: Name - priority: 1 - type: string - - jsonPath: .summary.pass - name: Pass - type: integer - - jsonPath: .summary.fail - name: Fail - type: integer - - jsonPath: .summary.warn - name: Warn - type: integer - - jsonPath: .summary.error - name: Error - type: integer - - jsonPath: .summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: ReportChangeRequest is the Schema for the ReportChangeRequests API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Message is a short user friendly description of the policy rule - type: string - policy: - description: Policy is the name of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for the policy rule - type: object - resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Resources is an optional reference to the resource checked by the policy and rule - items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name of the policy rule - type: string - scored: - description: Scored indicates if this policy rule is scored - type: boolean - severity: - description: Severity indicates policy severity - enum: - - high - - low - - medium - type: string - source: - description: Source is an identifier for the policy engine that manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements were met - type: integer - skip: - description: Skip indicates the count of policies that were not selected for evaluation - type: integer - warn: - description: Warn provides the count of unscored policies whose requirements were not met - type: integer - type: object - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf - config.kubernetes.io/index: '8' - internal.config.kubernetes.io/index: '8' - creationTimestamp: null - labels: - app.kubernetes.io/component: kyverno - app.kubernetes.io/instance: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.7.5 + app.kubernetes.io/version: '{{.Chart.AppVersion}}' name: updaterequests.kyverno.io spec: group: kyverno.io names: + categories: + - kyverno kind: UpdateRequest listKind: UpdateRequestList plural: updaterequests @@ -4567,7 +16450,7 @@ spec: name: v1beta1 schema: openAPIV3Schema: - description: UpdateRequestStatus is a request to process mutate and generate rules in background. + description: UpdateRequest is a request to process mutate and generate rules in background. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/deployment.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/deployment.yaml index a5c42bb2c..6c83eb580 100644 --- a/scripts/helmcharts/toolings/charts/kyverno/templates/deployment.yaml +++ b/scripts/helmcharts/toolings/charts/kyverno/templates/deployment.yaml @@ -65,9 +65,16 @@ spec: dnsPolicy: {{ .Values.dnsPolicy }} {{- end }} initContainers: + {{- if .Values.extraInitContainers }} + {{- toYaml .Values.extraInitContainers | nindent 8 }} + {{- end }} - name: kyverno-pre - image: {{ .Values.initImage.repository }}:{{ default .Chart.AppVersion (default .Values.image.tag .Values.initImage.tag) }} + image: {{ include "kyverno.image" (dict "image" .Values.initImage "defaultTag" (default .Chart.AppVersion .Values.image.tag)) | quote }} imagePullPolicy: {{ default .Values.image.pullPolicy .Values.initImage.pullPolicy }} + {{- if .Values.initContainer.extraArgs }} + args: + {{ tpl (toYaml .Values.initContainer.extraArgs) . }} + {{- end }} {{- with .Values.initResources }} resources: {{ tpl (toYaml .) $ | nindent 12 }} {{- end }} @@ -81,14 +88,21 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name - name: KYVERNO_DEPLOYMENT value: {{ template "kyverno.fullname" . }} {{- with .Values.envVarsInit }} {{- toYaml . | nindent 10 }} {{- end }} containers: + {{- if .Values.extraContainers }} + {{- toYaml .Values.extraContainers | nindent 8 }} + {{- end }} - name: kyverno - image: {{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }} + image: {{ include "kyverno.image" (dict "image" .Values.image "defaultTag" .Chart.AppVersion) | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- if or .Values.extraArgs .Values.imagePullSecrets }} args: @@ -125,6 +139,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + - name: KYVERNO_SERVICEACCOUNT_NAME + value: {{ template "kyverno.serviceAccountName" . }} - name: KYVERNO_SVC value: {{ template "kyverno.serviceName" . }} - name: TUF_ROOT @@ -134,6 +150,9 @@ spec: {{- end }} - name: KYVERNO_DEPLOYMENT value: {{ template "kyverno.fullname" . }} + {{- with .Values.startupProbe }} + startupProbe: {{ tpl (toYaml .) $ | nindent 12 }} + {{- end }} {{- with .Values.livenessProbe }} livenessProbe: {{ tpl (toYaml .) $ | nindent 12 }} {{- end }} diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/grafana.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/grafana.yaml new file mode 100644 index 000000000..7f4fb3eea --- /dev/null +++ b/scripts/helmcharts/toolings/charts/kyverno/templates/grafana.yaml @@ -0,0 +1,13 @@ +{{- if .Values.grafana.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "kyverno.configMapName" . }}-grafana + namespace: {{ default (include "kyverno.namespace" .) .Values.grafana.namespace }} + annotations: + {{- toYaml .Values.grafana.annotations | nindent 4 }} + labels: + grafana_dashboard: "1" +data: +{{ (.Files.Glob "grafana/*").AsConfig | indent 2 }} +{{- end -}} diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/metricsconfigmap.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/metricsconfigmap.yaml index e9be52c08..0e08473fa 100644 --- a/scripts/helmcharts/toolings/charts/kyverno/templates/metricsconfigmap.yaml +++ b/scripts/helmcharts/toolings/charts/kyverno/templates/metricsconfigmap.yaml @@ -4,6 +4,10 @@ kind: ConfigMap metadata: labels: {{ include "kyverno.labels" . | nindent 4 }} app: kyverno + {{- with .Values.config.metricsConfig.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} name: {{ template "kyverno.metricsConfigMapName" . }} namespace: {{ template "kyverno.namespace" . }} {{- if .Values.config.metricsConfig }} diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/secret.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/secret.yaml index 63bdd895f..c254b8963 100644 --- a/scripts/helmcharts/toolings/charts/kyverno/templates/secret.yaml +++ b/scripts/helmcharts/toolings/charts/kyverno/templates/secret.yaml @@ -1,14 +1,17 @@ {{- if .Values.createSelfSignedCert }} {{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}} -{{- $cert := genSignedCert (printf "%s.%s.svc" (include "kyverno.serviceName" .) (include "kyverno.namespace" .)) nil nil 1024 $ca -}} +{{- $svcName := (printf "%s.%s.svc" (include "kyverno.serviceName" .) (include "kyverno.namespace" .)) -}} +{{- $cert := genSignedCert $svcName nil (list $svcName) 1024 $ca -}} apiVersion: v1 kind: Secret metadata: name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca labels: {{ include "kyverno.labels" . | nindent 4 }} app: kyverno +type: kubernetes.io/tls data: - rootCA.crt: {{ $ca.Cert | b64enc }} + tls.key: {{ $ca.Key | b64enc }} + tls.crt: {{ $ca.Cert | b64enc }} --- apiVersion: v1 kind: Secret diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/tests/test.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/tests/test.yaml index 2bc81dcc8..75345dbac 100644 --- a/scripts/helmcharts/toolings/charts/kyverno/templates/tests/test.yaml +++ b/scripts/helmcharts/toolings/charts/kyverno/templates/tests/test.yaml @@ -10,16 +10,28 @@ spec: restartPolicy: Never containers: - name: wget - image: {{ .Values.testImage.repository | default "busybox" }}{{- if .Values.testImage.tag }}:{{ .Values.testImage.tag }}{{- end }} + image: {{ include "kyverno.image" (dict "image" .Values.testImage "defaultTag" "latest") | quote }} imagePullPolicy: {{ default .Values.image.pullPolicy .Values.testImage.pullPolicy }} + {{- with .Values.testResources }} + resources: {{ tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- if .Values.testSecurityContext }} + securityContext: {{ include "kyverno.testSecurityContext" . | nindent 8 }} + {{- end }} command: - /bin/sh - -c - | sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.serviceName" . }}:{{ .Values.service.port }}/health/liveness - name: wget-metrics - image: {{ .Values.testImage.repository | default "busybox" }}{{- if .Values.testImage.tag }}:{{ .Values.testImage.tag }}{{- end }} + image: {{ include "kyverno.image" (dict "image" .Values.testImage "defaultTag" "latest") | quote }} imagePullPolicy: {{ default .Values.image.pullPolicy .Values.testImage.pullPolicy }} + {{- with .Values.testResources }} + resources: {{ tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- if .Values.testSecurityContext }} + securityContext: {{ include "kyverno.testSecurityContext" . | nindent 8 }} + {{- end }} command: - /bin/sh - -c diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/validate.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/validate.yaml index 45c03e73a..35864e9c1 100644 --- a/scripts/helmcharts/toolings/charts/kyverno/templates/validate.yaml +++ b/scripts/helmcharts/toolings/charts/kyverno/templates/validate.yaml @@ -7,3 +7,7 @@ {{ fail "Kyverno does not support running with 2 replicas. For a highly-available deployment, select 3 replicas or for standalone select 1 replica." }} {{- end }} {{- end }} + +{{- if eq (include "kyverno.namespace" .) "kube-system" }} + {{ fail "Kyverno cannot be installed in namespace kube-system." }} +{{- end }} diff --git a/scripts/helmcharts/toolings/charts/kyverno/values.yaml b/scripts/helmcharts/toolings/charts/kyverno/values.yaml index ddeb699bc..7803a1b95 100644 --- a/scripts/helmcharts/toolings/charts/kyverno/values.yaml +++ b/scripts/helmcharts/toolings/charts/kyverno/values.yaml @@ -23,8 +23,13 @@ rbac: # example.com/annotation: value image: + # -- Image registry + registry: + # If you want to manage the registry you should remove it from the repository + # registry: ghcr.io + # repository: kyverno/kyverno # -- Image repository - repository: ghcr.io/kyverno/kyverno + repository: ghcr.io/kyverno/kyverno # kyverno: replaced in e2e tests # -- Image tag # Defaults to appVersion in Chart.yaml if omitted tag: # replaced in e2e tests @@ -35,8 +40,13 @@ image: # - secretName initImage: + # -- Image registry + registry: + # If you want to manage the registry you should remove it from the repository + # registry: ghcr.io + # repository: kyverno/kyvernopre # -- Image repository - repository: ghcr.io/kyverno/kyvernopre + repository: ghcr.io/kyverno/kyvernopre # init: replaced in e2e tests # -- Image tag # If initImage.tag is missing, defaults to image.tag tag: # replaced in e2e tests @@ -44,10 +54,17 @@ initImage: # If initImage.pullPolicy is missing, defaults to image.pullPolicy pullPolicy: +initContainer: + # -- Extra arguments to give to the kyvernopre binary. + extraArgs: + - --loggingFormat=text + + testImage: + # -- Image registry + registry: # -- Image repository - # Defaults to `busybox` if omitted - repository: + repository: busybox # -- Image tag # Defaults to `latest` if omitted tag: @@ -81,6 +98,20 @@ securityContext: seccompProfile: type: RuntimeDefault +# -- Security context for the test containers +testSecurityContext: + runAsUser: 65534 + runAsGroup: 65534 + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + # -- Optional priority class to be used for kyverno pods priorityClassName: '' @@ -141,7 +172,22 @@ envVars: {} # -- Extra arguments to give to the binary. extraArgs: - - --autogenInternals=false + - --autogenInternals=true + - --loggingFormat=text + +# -- Array of extra init containers +extraInitContainers: [] +# Example: +# - name: init-container +# image: busybox +# command: ['sh', '-c', 'echo Hello'] + +# -- Array of extra containers to run alongside kyverno +extraContainers: [] +# Example: +# - name: myapp-container +# image: busybox +# command: ['sh', '-c', 'echo Hello && sleep 3600'] # -- Image pull secrets for image verify and imageData policies. # This will define the `--imagePullSecrets` Kyverno argument. @@ -176,6 +222,29 @@ initResources: cpu: 10m memory: 64Mi +testResources: + # -- Pod resource limits + limits: + cpu: 100m + memory: 256Mi + # -- Pod resource requests + requests: + cpu: 10m + memory: 64Mi + +# -- Startup probe. +# The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. +# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ +# @default -- See [values.yaml](values.yaml) +startupProbe: + httpGet: + path: /health/liveness + port: 9443 + scheme: HTTPS + failureThreshold: 20 + initialDelaySeconds: 2 + periodSeconds: 6 + # -- Liveness probe. # The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ @@ -206,9 +275,8 @@ readinessProbe: failureThreshold: 6 successThreshold: 1 -# TODO(mbarrien): Should we just list all resources for the -# generatecontroller in here rather than having defaults hard-coded? -generatecontrollerExtraResources: +# -- Additional resources to be added to controller RBAC permissions. +generatecontrollerExtraResources: [] # - ResourceA # - ResourceB @@ -216,6 +284,10 @@ generatecontrollerExtraResources: # Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters excludeKyvernoNamespace: true +# -- resourceFilter namespace exclude +# Namespaces to exclude from the default resourceFilters +resourceFiltersExcludeNamespaces: [] + config: # -- Resource types to be skipped by the Kyverno policy engine. # Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. @@ -233,8 +305,10 @@ config: - '[SelfSubjectAccessReview,*,*]' - '[Binding,*,*]' - '[ReplicaSet,*,*]' - - '[ReportChangeRequest,*,*]' - - '[ClusterReportChangeRequest,*,*]' + - '[AdmissionReport,*,*]' + - '[ClusterAdmissionReport,*,*]' + - '[BackgroundScanReport,*,*]' + - '[ClusterBackgroundScanReport,*,*]' # exclude resources from the chart - '[ClusterRole,*,{{ template "kyverno.fullname" . }}:*]' - '[ClusterRoleBinding,*,{{ template "kyverno.fullname" . }}:*]' @@ -255,6 +329,9 @@ config: # -- Name of an existing config map (ignores default/provided resourceFilters) existingConfig: '' + # -- Additional annotations to add to the configmap + annotations: {} + # example.com/annotation: foo # -- Exclude group role excludeGroupRole: # - '' @@ -284,6 +361,9 @@ config: generateSuccessEvents: false # -- Metrics config. metricsConfig: + # -- Additional annotations to add to the metricsconfigmap + annotations: {} + # example.com/annotation: foo namespaces: { "include": [], "exclude": [] @@ -356,7 +436,7 @@ serviceMonitor: # 2) Provide your own CA and cert. # In this case, you will need to create a certificate with a specific name and data structure. # As long as you follow the naming scheme, it will be automatically picked up. -# kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entry named rootCA.crt) +# kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt) # kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) # 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true # If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false @@ -366,6 +446,12 @@ createSelfSignedCert: false # If the CRDs are not installed by Helm, they must be added before policies can be created. installCRDs: true +crds: + # -- Additional CRDs annotations. + annotations: {} + # argocd.argoproj.io/sync-options: Replace=true + # strategy.spinnaker.io/replace: 'true' + networkPolicy: # -- When true, use a NetworkPolicy to allow ingress to the webhook # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. @@ -379,5 +465,14 @@ webhooksCleanup: # -- `kubectl` image to run commands for deleting webhooks. image: bitnami/kubectl:latest -# -- A writable volume to use for the TUF root initialization +# -- A writable volume to use for the TUF root initialization. tufRootMountPath: /.sigstore + +grafana: + # -- Enable grafana dashboard creation. + enabled: false + # -- Namespace to create the grafana dashboard configmap. + # If not set, it will be created in the same namespace where the chart is deployed. + namespace: + # -- Grafana dashboard configmap annotations. + annotations: {} diff --git a/scripts/helmcharts/toolings/templates/kyverno.yaml b/scripts/helmcharts/toolings/templates/kyverno.yaml index ee3a9691c..2f045abf0 100644 --- a/scripts/helmcharts/toolings/templates/kyverno.yaml +++ b/scripts/helmcharts/toolings/templates/kyverno.yaml @@ -2,6 +2,10 @@ apiVersion: kyverno.io/v1 kind: Policy metadata: name: cosign + namespace: "{{ .Release.Namespace }}" + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-weight": "4" # Higher precidence, so the first the config map will get created. spec: validationFailureAction: enforce background: false diff --git a/scripts/helmcharts/toolings/values.yaml b/scripts/helmcharts/toolings/values.yaml new file mode 100644 index 000000000..c34673667 --- /dev/null +++ b/scripts/helmcharts/toolings/values.yaml @@ -0,0 +1,3 @@ +kyverno: + fullnameOverride: kyverno + excludeKyvernoNamespace: false