chore(deps): update helm release external-secrets to v0.10.6 #859
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
Changes Rendered Chartdiff -U 4 -r out/target/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/aggregate-roles.yaml out/pr/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/aggregate-roles.yaml
--- out/target/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/aggregate-roles.yaml 2024-11-22 16:44:41.524360953 +0000
+++ out/pr/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/aggregate-roles.yaml 2024-11-22 16:44:07.812522665 +0000
@@ -6,9 +6,9 @@
name: release-name-argo-rollouts-aggregate-to-view
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
app.kubernetes.io/component: rollouts-controller
- helm.sh/chart: argo-rollouts-2.37.7
+ helm.sh/chart: argo-rollouts-2.37.8
app.kubernetes.io/name: argo-rollouts
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "v1.7.2"
app.kubernetes.io/managed-by: Helm
@@ -35,9 +35,9 @@
name: release-name-argo-rollouts-aggregate-to-edit
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
app.kubernetes.io/component: rollouts-controller
- helm.sh/chart: argo-rollouts-2.37.7
+ helm.sh/chart: argo-rollouts-2.37.8
app.kubernetes.io/name: argo-rollouts
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "v1.7.2"
app.kubernetes.io/managed-by: Helm
@@ -70,9 +70,9 @@
name: release-name-argo-rollouts-aggregate-to-admin
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
app.kubernetes.io/component: rollouts-controller
- helm.sh/chart: argo-rollouts-2.37.7
+ helm.sh/chart: argo-rollouts-2.37.8
app.kubernetes.io/name: argo-rollouts
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "v1.7.2"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/clusterrole.yaml out/pr/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/clusterrole.yaml
--- out/target/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/clusterrole.yaml 2024-11-22 16:44:41.524360953 +0000
+++ out/pr/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/clusterrole.yaml 2024-11-22 16:44:07.812522665 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-argo-rollouts
labels:
app.kubernetes.io/component: rollouts-controller
- helm.sh/chart: argo-rollouts-2.37.7
+ helm.sh/chart: argo-rollouts-2.37.8
app.kubernetes.io/name: argo-rollouts
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "v1.7.2"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/clusterrolebinding.yaml out/pr/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/clusterrolebinding.yaml
--- out/target/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/clusterrolebinding.yaml 2024-11-22 16:44:41.524360953 +0000
+++ out/pr/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/clusterrolebinding.yaml 2024-11-22 16:44:07.812522665 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-argo-rollouts
labels:
app.kubernetes.io/component: rollouts-controller
- helm.sh/chart: argo-rollouts-2.37.7
+ helm.sh/chart: argo-rollouts-2.37.8
app.kubernetes.io/name: argo-rollouts
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "v1.7.2"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/configmap.yaml out/pr/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/configmap.yaml
--- out/target/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/configmap.yaml 2024-11-22 16:44:41.524360953 +0000
+++ out/pr/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/configmap.yaml 2024-11-22 16:44:07.812522665 +0000
@@ -6,9 +6,9 @@
name: argo-rollouts-config
namespace: "default"
labels:
app.kubernetes.io/component: rollouts-controller
- helm.sh/chart: argo-rollouts-2.37.7
+ helm.sh/chart: argo-rollouts-2.37.8
app.kubernetes.io/name: argo-rollouts
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "v1.7.2"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/deployment.yaml out/pr/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/deployment.yaml
--- out/target/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/deployment.yaml 2024-11-22 16:44:41.524360953 +0000
+++ out/pr/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/deployment.yaml 2024-11-22 16:44:07.812522665 +0000
@@ -6,9 +6,9 @@
name: release-name-argo-rollouts
namespace: "default"
labels:
app.kubernetes.io/component: rollouts-controller
- helm.sh/chart: argo-rollouts-2.37.7
+ helm.sh/chart: argo-rollouts-2.37.8
app.kubernetes.io/name: argo-rollouts
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "v1.7.2"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/notifications-configmap.yaml out/pr/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/notifications-configmap.yaml
--- out/target/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/notifications-configmap.yaml 2024-11-22 16:44:41.524360953 +0000
+++ out/pr/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/notifications-configmap.yaml 2024-11-22 16:44:07.812522665 +0000
@@ -6,9 +6,9 @@
name: argo-rollouts-notification-configmap
namespace: "default"
labels:
app.kubernetes.io/component: rollouts-controller
- helm.sh/chart: argo-rollouts-2.37.7
+ helm.sh/chart: argo-rollouts-2.37.8
app.kubernetes.io/name: argo-rollouts
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "v1.7.2"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/serviceaccount.yaml out/pr/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/serviceaccount.yaml
--- out/target/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/serviceaccount.yaml 2024-11-22 16:44:41.524360953 +0000
+++ out/pr/argo-rollouts/values.yaml/sx-argo-rollouts/charts/argo-rollouts/templates/controller/serviceaccount.yaml 2024-11-22 16:44:07.812522665 +0000
@@ -6,9 +6,9 @@
name: release-name-argo-rollouts
namespace: "default"
labels:
app.kubernetes.io/component: rollouts-controller
- helm.sh/chart: argo-rollouts-2.37.7
+ helm.sh/chart: argo-rollouts-2.37.8
app.kubernetes.io/name: argo-rollouts
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "v1.7.2"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/backstage/values-k3d.yaml/sx-backstage/charts/backstage/templates/app-config-configmap.yaml out/pr/backstage/values-k3d.yaml/sx-backstage/charts/backstage/templates/app-config-configmap.yaml
--- out/target/backstage/values-k3d.yaml/sx-backstage/charts/backstage/templates/app-config-configmap.yaml 2024-11-22 16:44:44.720345888 +0000
+++ out/pr/backstage/values-k3d.yaml/sx-backstage/charts/backstage/templates/app-config-configmap.yaml 2024-11-22 16:44:11.328509311 +0000
@@ -44,13 +44,20 @@
resolvers:
- resolver: emailLocalPartMatchingUserEntityName
- resolver: emailMatchingUserEntityProfileEmail
session:
- secret: supersecret
+ secret: ${BACKEND_SECRET}
backend:
auth:
- keys:
- - secret: ${BACKEND_SECRET}
+ externalAccess:
+ - options:
+ subject: admincurlaccess
+ token: ${EXTERNAL_ACCESS_TOKEN}
+ type: static
+ - options:
+ secret: ${BACKEND_SECRET}
+ subject: legacy-secret
+ type: legacy
baseUrl: https://backstage-127-0-0-1.nip.io
cache:
store: memory
cors:
@@ -233,9 +240,9 @@
annotationDeploymentName: backstage.io/kubernetes-id
baseUrl: https://kubecost-127-0-0-1.nip.io
fractionDigits: 4
queryframes: week,yesterday,month,today,lastweek
- shareTenancyCosts: true
+ shareTenancyCosts: false
sharedNamespaces: kube-system
showDashboardLink: true
unitprefix: €
kubernetes:
@@ -251,20 +258,41 @@
serviceLocatorMethod:
type: multiTenant
organization:
name: sX CNP
+ permission:
+ enabled: true
+ rbac:
+ admin:
+ superUsers:
+ - name: user:default/demoadmin
+ - name: user:default/phac008
+ - name: user:default/jkleinlercher
+ users:
+ - name: group:default/demouser
+ database:
+ enabled: true
+ maxDepth: 1
+ pluginsWithPermission:
+ - kubernetes
+ - catalog
+ - policy
+ - scaffolder
+ - rbac
+ policies-csv-file: /opt/app-root/src/rbac/rbac-policy.csv
+ policyFileReload: true
proxy:
- /argocd/api:
- changeOrigin: true
- headers:
- Cookie:
- $env: ARGOCD_AUTH_TOKEN
- secure: false
- target: http://sx-argocd-server.argocd:80/api/v1/
- /grafana/api:
- headers:
- Authorization: Bearer ${GRAFANA_TOKEN}
- target: http://sx-grafana.grafana:80
+ endpoints:
+ /argocd/api:
+ changeOrigin: true
+ headers:
+ Cookie:
+ $env: ARGOCD_AUTH_TOKEN
+ target: http://sx-argocd-server.argocd:80/api/v1/
+ /grafana/api:
+ headers:
+ Authorization: Bearer ${GRAFANA_TOKEN}
+ target: http://sx-grafana.grafana:80
scaffolder: {}
scorecards:
jsonDataUrl: https://raw.githubusercontent.com/Oriflame/backstage-plugins/main/plugins/score-card/sample-data/
techdocs:
@@ -273,7 +301,9 @@
runIn: local
publisher:
type: local
vault:
+ auth:
+ secret: ${VAULT_TOKEN}
+ type: static
baseUrl: https://${VAULT_ADDR}
publicUrl: https://${VAULT_ADDR}
- token: ${VAULT_TOKEN}
diff -U 4 -r out/target/backstage/values-k3d.yaml/sx-backstage/charts/backstage/templates/backstage-deployment.yaml out/pr/backstage/values-k3d.yaml/sx-backstage/charts/backstage/templates/backstage-deployment.yaml
--- out/target/backstage/values-k3d.yaml/sx-backstage/charts/backstage/templates/backstage-deployment.yaml 2024-11-22 16:44:44.720345888 +0000
+++ out/pr/backstage/values-k3d.yaml/sx-backstage/charts/backstage/templates/backstage-deployment.yaml 2024-11-22 16:44:11.328509311 +0000
@@ -6,9 +6,9 @@
name: release-name-backstage
namespace: "default"
labels:
app.kubernetes.io/name: backstage
- helm.sh/chart: backstage-2.0.0
+ helm.sh/chart: backstage-2.2.0
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: backstage
annotations:
@@ -23,24 +23,28 @@
template:
metadata:
labels:
app.kubernetes.io/name: backstage
- helm.sh/chart: backstage-2.0.0
+ helm.sh/chart: backstage-2.2.0
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: backstage
annotations:
- checksum/app-config: 1367a0655a4cda647303a8c19e265ccab55f73a6312b06ecf47ce9067317557d
+ checksum/app-config: 638d4a35f05a3b7d239f663166054ea4b759eaaa8f4d10e1947fd7430520ddcc
spec:
serviceAccountName: default
volumes:
+ - configMap:
+ defaultMode: 420
+ name: rbac-policy
+ name: rbac-policy
- name: backstage-app-config
configMap:
name: release-name-backstage-app-config
containers:
- name: backstage-backend
- image: ghcr.io/suxess-it/sx-backstage:latest
+ image: ghcr.io/suxess-it/sx-backstage:v1.32.5
imagePullPolicy: "Always"
command:
- node
- packages/backend
@@ -81,4 +85,6 @@
volumeMounts:
- name: backstage-app-config
mountPath: "/app/app-config-from-configmap.yaml"
subPath: app-config.yaml
+ - mountPath: /opt/app-root/src/rbac
+ name: rbac-policy
diff -U 4 -r out/target/backstage/values-k3d.yaml/sx-backstage/charts/backstage/templates/ingress.yaml out/pr/backstage/values-k3d.yaml/sx-backstage/charts/backstage/templates/ingress.yaml
--- out/target/backstage/values-k3d.yaml/sx-backstage/charts/backstage/templates/ingress.yaml 2024-11-22 16:44:44.720345888 +0000
+++ out/pr/backstage/values-k3d.yaml/sx-backstage/charts/backstage/templates/ingress.yaml 2024-11-22 16:44:11.328509311 +0000
@@ -6,9 +6,9 @@
name: release-name-backstage
namespace: "default"
labels:
app.kubernetes.io/name: backstage
- helm.sh/chart: backstage-2.0.0
+ helm.sh/chart: backstage-2.2.0
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: backstage
annotations:
diff -U 4 -r out/target/backstage/values-k3d.yaml/sx-backstage/charts/backstage/templates/service.yaml out/pr/backstage/values-k3d.yaml/sx-backstage/charts/backstage/templates/service.yaml
--- out/target/backstage/values-k3d.yaml/sx-backstage/charts/backstage/templates/service.yaml 2024-11-22 16:44:44.720345888 +0000
+++ out/pr/backstage/values-k3d.yaml/sx-backstage/charts/backstage/templates/service.yaml 2024-11-22 16:44:11.328509311 +0000
@@ -6,9 +6,9 @@
name: release-name-backstage
namespace: "default"
labels:
app.kubernetes.io/name: backstage
- helm.sh/chart: backstage-2.0.0
+ helm.sh/chart: backstage-2.2.0
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: backstage
spec:
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/role.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/role.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/role.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/role.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -9,19 +9,21 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rules:
- apiGroups:
- ''
resources:
- secrets
+ - serviceaccounts
verbs:
- get
- list
- watch
+ - patch
- create
- update
- delete
- apiGroups:
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/rolebinding.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/rolebinding.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/rolebinding.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/rolebinding.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: release-name-kyverno:admission-controller
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/service.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/service.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/service.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/service.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -9,16 +9,17 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
ports:
- port: 443
targetPort: https
protocol: TCP
name: https
+ appProtocol: https
selector:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/part-of: release-name-kyverno
@@ -34,10 +35,10 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
ports:
- port: 8000
targetPort: 8000
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/serviceaccount.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/serviceaccount.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/serviceaccount.yaml 2024-11-22 16:44:59.708263235 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/serviceaccount.yaml 2024-11-22 16:44:28.388438499 +0000
@@ -9,6 +9,6 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/servicemonitor.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/servicemonitor.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/servicemonitor.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/servicemonitor.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
selector:
matchLabels:
app.kubernetes.io/component: admission-controller
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrole.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrole.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrole.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrole.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -8,13 +8,15 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-background-controller: "true"
+ - matchLabels:
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/part-of: release-name-kyverno
---
@@ -27,10 +29,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
@@ -40,9 +42,11 @@
- apiGroups:
- kyverno.io
resources:
- policies
+ - policies/status
- clusterpolicies
+ - clusterpolicies/status
- policyexceptions
- updaterequests
- updaterequests/status
- globalcontextentries
@@ -77,15 +81,21 @@
- patch
- update
- watch
- apiGroups:
- - '*'
+ - reports.kyverno.io
resources:
- - '*'
+ - ephemeralreports
+ - clusterephemeralreports
verbs:
- - get
- - list
- - watch
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - deletecollection
- apiGroups:
- networking.k8s.io
resources:
- ingresses
@@ -109,9 +119,8 @@
- apiGroups:
- ""
resources:
- configmaps
- - secrets
- resourcequotas
- limitranges
verbs:
- create
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrolebinding.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrolebinding.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrolebinding.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrolebinding.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -8,14 +8,35 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-kyverno:background-controller
subjects:
- kind: ServiceAccount
name: kyverno-background-controller
namespace: default
+---
+# Source: sx-kyverno/charts/kyverno/templates/background-controller/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: release-name-kyverno:background-controller:view
+ labels:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: release-name
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: release-name-kyverno
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: view
+subjects:
+- kind: ServiceAccount
+ name: kyverno-background-controller
+ namespace: default
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/deployment.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/deployment.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/deployment.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/deployment.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
replicas: 1
revisionHistoryLimit: 10
strategy:
@@ -31,10 +31,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
dnsPolicy: ClusterFirst
affinity:
podAntiAffinity:
@@ -50,9 +50,9 @@
weight: 1
serviceAccountName: kyverno-background-controller
containers:
- name: controller
- image: "ghcr.io/kyverno/background-controller:v1.12.6"
+ image: "ghcr.io/kyverno/background-controller:v1.13.1"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
@@ -64,15 +64,17 @@
args:
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
+ - --resyncPeriod=15m
- --enableConfigMapCaching=true
- --enableDeferredLoading=true
- --maxAPICallResponseLength=2000000
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyApplied,PolicySkipped
- - --enablePolicyException=true
+ - --enablePolicyException=false
+ - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
env:
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-background-controller
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/role.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/role.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/role.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/role.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
namespace: default
rules:
- apiGroups:
- ''
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/rolebinding.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/rolebinding.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/rolebinding.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/rolebinding.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
diff -U 4 -r out/target/backstage/values-metalstack.yaml/sx-backstage/charts/backstage/templates/app-config-configmap.yaml out/pr/backstage/values-metalstack.yaml/sx-backstage/charts/backstage/templates/app-config-configmap.yaml
--- out/target/backstage/values-metalstack.yaml/sx-backstage/charts/backstage/templates/app-config-configmap.yaml 2024-11-22 16:44:44.656346190 +0000
+++ out/pr/backstage/values-metalstack.yaml/sx-backstage/charts/backstage/templates/app-config-configmap.yaml 2024-11-22 16:44:11.260509546 +0000
@@ -29,12 +29,21 @@
signIn:
resolvers:
- resolver: usernameMatchingUserEntityName
guest: {}
+ session:
+ secret: ${BACKEND_SECRET}
backend:
auth:
- keys:
- - secret: ${BACKEND_SECRET}
+ externalAccess:
+ - options:
+ subject: admincurlaccess
+ token: ${EXTERNAL_ACCESS_TOKEN}
+ type: static
+ - options:
+ secret: ${BACKEND_SECRET}
+ subject: legacy-secret
+ type: legacy
baseUrl: https://portal-metalstack.platform-engineer.cloud
cache:
store: memory
cors:
@@ -222,21 +231,41 @@
serviceLocatorMethod:
type: multiTenant
organization:
name: sX CNP
+ permission:
+ enabled: false
+ rbac:
+ admin:
+ superUsers:
+ - name: user:default/demoadmin
+ - name: user:default/phac008
+ - name: user:default/jkleinlercher
+ users:
+ - name: group:default/demouser
+ database:
+ enabled: true
+ maxDepth: 1
+ pluginsWithPermission:
+ - kubernetes
+ - catalog
+ - policy
+ - scaffolder
+ - rbac
+ policies-csv-file: /opt/app-root/src/rbac/rbac-policy.csv
+ policyFileReload: true
proxy:
- /argocd/api:
- changeOrigin: true
- headers:
- Cookie:
- $env: ARGOCD_AUTH_TOKEN
- secure: false
- target: https://argocd-metalstack.platform-engineer.cloud/api/v1/
- /grafana/api:
- headers:
- Authorization: Bearer ${GRAFANA_TOKEN}
- secure: false
- target: https://grafana-metalstack.platform-engineer.cloud
+ endpoints:
+ /argocd/api:
+ changeOrigin: true
+ headers:
+ Cookie:
+ $env: ARGOCD_AUTH_TOKEN
+ target: https://argocd-metalstack.platform-engineer.cloud/api/v1/
+ /grafana/api:
+ headers:
+ Authorization: Bearer ${GRAFANA_TOKEN}
+ target: https://grafana-metalstack.platform-engineer.cloud
scaffolder: {}
scorecards:
jsonDataUrl: https://raw.githubusercontent.com/Oriflame/backstage-plugins/main/plugins/score-card/sample-data/
techdocs:
@@ -245,7 +274,9 @@
runIn: local
publisher:
type: local
vault:
+ auth:
+ secret: ${VAULT_TOKEN}
+ type: static
baseUrl: https://${VAULT_ADDR}
publicUrl: https://${VAULT_ADDR}
- token: ${VAULT_TOKEN}
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/service.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/service.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/service.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/service.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
ports:
- port: 8000
targetPort: 8000
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/serviceaccount.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/serviceaccount.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/serviceaccount.yaml 2024-11-22 16:44:59.708263235 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/serviceaccount.yaml 2024-11-22 16:44:28.388438499 +0000
@@ -9,6 +9,6 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/servicemonitor.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/servicemonitor.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/servicemonitor.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/background-controller/servicemonitor.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
selector:
matchLabels:
app.kubernetes.io/component: background-controller
Only in out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates: cleanup
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrole.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrole.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrole.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrole.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -8,13 +8,15 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-cleanup-controller: "true"
+ - matchLabels:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/part-of: release-name-kyverno
---
@@ -27,10 +29,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrolebinding.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrolebinding.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrolebinding.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrolebinding.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-kyverno:cleanup-controller
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/deployment.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/deployment.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/deployment.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/deployment.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
replicas: 1
revisionHistoryLimit: 10
strategy:
@@ -31,10 +31,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
dnsPolicy: ClusterFirst
affinity:
podAntiAffinity:
@@ -50,9 +50,9 @@
weight: 1
serviceAccountName: kyverno-cleanup-controller
containers:
- name: controller
- image: "ghcr.io/kyverno/cleanup-controller:v1.12.6"
+ image: "ghcr.io/kyverno/cleanup-controller:v1.13.1"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
@@ -66,8 +66,9 @@
- --tlsSecretName=kyverno-cleanup-controller.default.svc.kyverno-tls-pair
- --servicePort=443
- --cleanupServerPort=9443
- --webhookServerPort=9443
+ - --resyncPeriod=15m
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
- --enableDeferredLoading=true
@@ -90,8 +91,10 @@
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-cleanup-controller
+ - name: KYVERNO_ROLE_NAME
+ value: release-name-kyverno:cleanup-controller
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/role.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/role.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/role.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/role.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
namespace: default
rules:
- apiGroups:
- ''
@@ -59,4 +59,12 @@
- patch
- update
resourceNames:
- kyverno-cleanup-controller
+ - apiGroups:
+ - apps
+ resources:
+ - deployments
+ verbs:
+ - get
+ - list
+ - watch
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/rolebinding.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/rolebinding.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/rolebinding.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/rolebinding.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/service.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/service.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/service.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/service.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -9,16 +9,17 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
ports:
- port: 443
targetPort: https
protocol: TCP
name: https
+ appProtocol: https
selector:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/part-of: release-name-kyverno
@@ -34,10 +35,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
ports:
- port: 8000
targetPort: 8000
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml 2024-11-22 16:44:59.708263235 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml 2024-11-22 16:44:28.388438499 +0000
@@ -9,6 +9,6 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
diff -U 4 -r out/target/backstage/values-metalstack.yaml/sx-backstage/charts/backstage/templates/backstage-deployment.yaml out/pr/backstage/values-metalstack.yaml/sx-backstage/charts/backstage/templates/backstage-deployment.yaml
--- out/target/backstage/values-metalstack.yaml/sx-backstage/charts/backstage/templates/backstage-deployment.yaml 2024-11-22 16:44:44.656346190 +0000
+++ out/pr/backstage/values-metalstack.yaml/sx-backstage/charts/backstage/templates/backstage-deployment.yaml 2024-11-22 16:44:11.260509546 +0000
@@ -6,9 +6,9 @@
name: release-name-backstage
namespace: "default"
labels:
app.kubernetes.io/name: backstage
- helm.sh/chart: backstage-2.0.0
+ helm.sh/chart: backstage-2.2.0
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: backstage
annotations:
@@ -23,24 +23,28 @@
template:
metadata:
labels:
app.kubernetes.io/name: backstage
- helm.sh/chart: backstage-2.0.0
+ helm.sh/chart: backstage-2.2.0
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: backstage
annotations:
- checksum/app-config: 948f67864a9addc7ffc53c06a81cf592a015bb35f16810ed8b7ff89543cc36b5
+ checksum/app-config: 0a3fb82927753f293703809230373678e986444e1190d20f55aa1c3fa9eea908
spec:
serviceAccountName: default
volumes:
+ - configMap:
+ defaultMode: 420
+ name: rbac-policy
+ name: rbac-policy
- name: backstage-app-config
configMap:
name: release-name-backstage-app-config
containers:
- name: backstage-backend
- image: ghcr.io/suxess-it/sx-backstage:latest
+ image: ghcr.io/suxess-it/sx-backstage:v1.32.5
imagePullPolicy: "Always"
command:
- node
- packages/backend
@@ -79,4 +83,6 @@
volumeMounts:
- name: backstage-app-config
mountPath: "/app/app-config-from-configmap.yaml"
subPath: app-config.yaml
+ - mountPath: /opt/app-root/src/rbac
+ name: rbac-policy
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
selector:
matchLabels:
app.kubernetes.io/component: cleanup-controller
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/config/configmap.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/config/configmap.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/config/configmap.yaml 2024-11-22 16:44:59.708263235 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/config/configmap.yaml 2024-11-22 16:44:28.388438499 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: config
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/resource-policy: "keep"
data:
enableDefaultRegistryMutation: "true"
@@ -35,16 +35,10 @@
[Binding,*,*]
[Pod/binding,*,*]
[ReplicaSet,*,*]
[ReplicaSet/*,*,*]
- [AdmissionReport,*,*]
- [AdmissionReport/*,*,*]
- [ClusterAdmissionReport,*,*]
- [ClusterAdmissionReport/*,*,*]
- [BackgroundScanReport,*,*]
- [BackgroundScanReport/*,*,*]
- [ClusterBackgroundScanReport,*,*]
- [ClusterBackgroundScanReport/*,*,*]
+ [EphemeralReport,*,*]
+ [ClusterEphemeralReport,*,*]
[ClusterRole,*,release-name-kyverno:admission-controller]
[ClusterRole,*,release-name-kyverno:admission-controller:core]
[ClusterRole,*,release-name-kyverno:admission-controller:additional]
[ClusterRole,*,release-name-kyverno:background-controller]
@@ -129,6 +123,7 @@
[ServiceMonitor,default,kyverno-cleanup-controller]
[ServiceMonitor,default,kyverno-reports-controller]
[Secret,default,release-name-kyverno-svc.default.svc.*]
[Secret,default,kyverno-cleanup-controller.default.svc.*]
- webhooks: "[{\"namespaceSelector\":{\"matchExpressions\":[{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kyverno\",\"kube-system\"]},{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"default\"]}],\"matchLabels\":null}}]"
+ updateRequestThreshold: "1000"
+ webhooks: "{\"namespaceSelector\":{\"matchExpressions\":[{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kyverno\",\"kube-system\"]},{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"default\"]}],\"matchLabels\":null}}"
webhookAnnotations: "{\"admissions.enforcer/disabled\":\"true\"}"
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/config/metricsconfigmap.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/config/metricsconfigmap.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/config/metricsconfigmap.yaml 2024-11-22 16:44:59.708263235 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/config/metricsconfigmap.yaml 2024-11-22 16:44:28.388438499 +0000
@@ -9,9 +9,10 @@
app.kubernetes.io/component: config
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
data:
namespaces: "{\"exclude\":[],\"include\":[]}"
+ metricsExposure: "{\"kyverno_admission_requests_total\":{\"disabledLabelDimensions\":[\"resource_namespace\"]},\"kyverno_admission_review_duration_seconds\":{\"disabledLabelDimensions\":[\"resource_namespace\"]},\"kyverno_cleanup_controller_deletedobjects_total\":{\"disabledLabelDimensions\":[\"resource_namespace\",\"policy_namespace\"]},\"kyverno_policy_execution_duration_seconds\":{\"disabledLabelDimensions\":[\"resource_namespace\",\"resource_request_operation\"]},\"kyverno_policy_results_total\":{\"disabledLabelDimensions\":[\"resource_namespace\",\"policy_namespace\"]},\"kyverno_policy_rule_info_total\":{\"disabledLabelDimensions\":[\"resource_namespace\",\"policy_namespace\"]}}"
bucketBoundaries: "0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 15, 20, 25, 30"
Only in out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/hooks: post-delete-configmap.yaml
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml 2024-11-22 16:44:59.720263182 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
spec:
@@ -23,9 +23,9 @@
serviceAccount: kyverno-admission-controller
restartPolicy: Never
containers:
- name: kubectl
- image: "bitnami/kubectl:1.28.5"
+ image: "bitnami/kubectl:1.30.2"
imagePullPolicy:
command:
- /bin/bash
- -c
@@ -45,9 +45,9 @@
fi
done
COUNT=$(kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | wc -l)
-
+
if [ $COUNT -gt 0 ]; then
echo "deleting $COUNT clusterpolicyreports"
kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete clusterpolicyreports.wgpolicyk8s.io
else
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml 2024-11-22 16:44:59.720263182 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "100"
@@ -26,10 +26,10 @@
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "100"
@@ -64,10 +64,10 @@
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "100"
@@ -90,10 +90,10 @@
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "200"
@@ -105,23 +105,15 @@
serviceAccount: release-name-kyverno-migrate-resources
restartPolicy: Never
containers:
- name: kubectl
- image: "ghcr.io/kyverno/kyverno-cli:v1.12.6"
+ image: "ghcr.io/kyverno/kyverno-cli:v1.13.1"
imagePullPolicy: IfNotPresent
args:
- migrate
- --resource
- - admissionreports.kyverno.io
- - --resource
- - backgroundscanreports.kyverno.io
- - --resource
- cleanuppolicies.kyverno.io
- --resource
- - clusteradmissionreports.kyverno.io
- - --resource
- - clusterbackgroundscanreports.kyverno.io
- - --resource
- clustercleanuppolicies.kyverno.io
- --resource
- clusterpolicies.kyverno.io
- --resource
Only in out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/hooks: pre-delete-configmap.yaml
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml 2024-11-22 16:44:59.720263182 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: pre-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "100"
@@ -24,9 +24,9 @@
serviceAccount: kyverno-admission-controller
restartPolicy: Never
containers:
- name: kubectl
- image: "bitnami/kubectl:1.28.5"
+ image: "bitnami/kubectl:1.30.2"
imagePullPolicy:
command:
- /bin/bash
- '-c'
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/rbac/policies.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/rbac/policies.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/rbac/policies.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/rbac/policies.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- kyverno.io
@@ -38,10 +38,10 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- kyverno.io
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/rbac/policyreports.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/rbac/policyreports.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/rbac/policyreports.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/rbac/policyreports.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- wgpolicyk8s.io
@@ -36,10 +36,10 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- wgpolicyk8s.io
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/rbac/reports.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/rbac/reports.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/rbac/reports.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/rbac/reports.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -8,28 +8,13 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- - apiGroups:
- reports.kyverno.io
resources:
- ephemeralreports
- clusterephemeralreports
@@ -51,24 +36,13 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- reports.kyverno.io
resources:
- ephemeralreports
- clusterephemeralreports
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/rbac/updaterequests.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/rbac/updaterequests.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/rbac/updaterequests.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/rbac/updaterequests.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- kyverno.io
@@ -35,10 +35,10 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- kyverno.io
diff -U 4 -r out/target/backstage/values-metalstack.yaml/sx-backstage/charts/backstage/templates/ingress.yaml out/pr/backstage/values-metalstack.yaml/sx-backstage/charts/backstage/templates/ingress.yaml
--- out/target/backstage/values-metalstack.yaml/sx-backstage/charts/backstage/templates/ingress.yaml 2024-11-22 16:44:44.656346190 +0000
+++ out/pr/backstage/values-metalstack.yaml/sx-backstage/charts/backstage/templates/ingress.yaml 2024-11-22 16:44:11.260509546 +0000
@@ -6,9 +6,9 @@
name: release-name-backstage
namespace: "default"
labels:
app.kubernetes.io/name: backstage
- helm.sh/chart: backstage-2.0.0
+ helm.sh/chart: backstage-2.2.0
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: backstage
annotations:
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrole.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrole.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrole.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrole.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -8,13 +8,15 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-reports-controller: "true"
+ - matchLabels:
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/part-of: release-name-kyverno
---
@@ -27,10 +29,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
@@ -39,9 +41,8 @@
- get
- apiGroups:
- ''
resources:
- - secrets
- configmaps
- namespaces
verbs:
- get
@@ -51,12 +52,8 @@
- kyverno.io
resources:
- globalcontextentries
- globalcontextentries/status
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- policyexceptions
- policies
- clusterpolicies
verbs:
@@ -105,12 +102,4 @@
- events
verbs:
- create
- patch
- - apiGroups:
- - '*'
- resources:
- - '*'
- verbs:
- - get
- - list
- - watch
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -8,14 +8,35 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-kyverno:reports-controller
subjects:
- kind: ServiceAccount
name: kyverno-reports-controller
namespace: default
+---
+# Source: sx-kyverno/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: release-name-kyverno:reports-controller:view
+ labels:
+ app.kubernetes.io/component: reports-controller
+ app.kubernetes.io/instance: release-name
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: release-name-kyverno
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: view
+subjects:
+- kind: ServiceAccount
+ name: kyverno-reports-controller
+ namespace: default
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/deployment.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/deployment.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/deployment.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/deployment.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
replicas: 1
revisionHistoryLimit: 10
strategy:
@@ -31,10 +31,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
dnsPolicy: ClusterFirst
affinity:
podAntiAffinity:
@@ -50,9 +50,9 @@
weight: 1
serviceAccountName: kyverno-reports-controller
containers:
- name: controller
- image: "ghcr.io/kyverno/reports-controller:v1.12.6"
+ image: "ghcr.io/kyverno/reports-controller:v1.13.1"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
@@ -64,8 +64,9 @@
args:
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
+ - --resyncPeriod=15m
- --admissionReports=true
- --aggregateReports=true
- --policyReports=true
- --validatingAdmissionPolicyReports=false
@@ -78,12 +79,12 @@
- --maxAPICallResponseLength=2000000
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyApplied,PolicySkipped
- - --enablePolicyException=true
- - --reportsChunkSize=0
+ - --enablePolicyException=false
- --allowInsecureRegistry=false
- --registryCredentialHelpers=default,google,amazon,azure,github
+ - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
env:
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-reports-controller
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/role.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/role.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/role.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/role.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
namespace: default
rules:
- apiGroups:
- ''
@@ -24,8 +24,16 @@
resourceNames:
- release-name-kyverno
- release-name-kyverno-metrics
- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/rolebinding.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/rolebinding.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/rolebinding.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/rolebinding.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/service.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/service.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/service.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/service.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
ports:
- port: 8000
targetPort: 8000
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/serviceaccount.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/serviceaccount.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/serviceaccount.yaml 2024-11-22 16:44:59.708263235 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/serviceaccount.yaml 2024-11-22 16:44:28.388438499 +0000
@@ -9,6 +9,6 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/servicemonitor.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/servicemonitor.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/servicemonitor.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/servicemonitor.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
selector:
matchLabels:
app.kubernetes.io/component: reports-controller
Only in out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests: admission-controller-liveness.yaml
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests/admission-controller-metrics.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests/admission-controller-metrics.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests/admission-controller-metrics.yaml 2024-11-22 16:44:59.720263182 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests/admission-controller-metrics.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: test
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: test
spec:
restartPolicy: Never
Only in out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests: admission-controller-readiness.yaml
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml 2024-11-22 16:44:59.720263182 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: test
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: test
spec:
restartPolicy: Never
diff -U 4 -r out/target/backstage/values-metalstack.yaml/sx-backstage/charts/backstage/templates/service.yaml out/pr/backstage/values-metalstack.yaml/sx-backstage/charts/backstage/templates/service.yaml
--- out/target/backstage/values-metalstack.yaml/sx-backstage/charts/backstage/templates/service.yaml 2024-11-22 16:44:44.656346190 +0000
+++ out/pr/backstage/values-metalstack.yaml/sx-backstage/charts/backstage/templates/service.yaml 2024-11-22 16:44:11.260509546 +0000
@@ -6,9 +6,9 @@
name: release-name-backstage
namespace: "default"
labels:
app.kubernetes.io/name: backstage
- helm.sh/chart: backstage-2.0.0
+ helm.sh/chart: backstage-2.2.0
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: backstage
spec:
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml 2024-11-22 16:44:59.720263182 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: test
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: test
spec:
restartPolicy: Never
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml 2024-11-22 16:44:59.720263182 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: test
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: test
spec:
restartPolicy: Never
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests/reports-controller-metrics.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests/reports-controller-metrics.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests/reports-controller-metrics.yaml 2024-11-22 16:44:59.720263182 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/tests/reports-controller-metrics.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: test
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: test
spec:
restartPolicy: Never
Only in out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io: kyverno.io_admissionreports.yaml
Only in out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io: kyverno.io_backgroundscanreports.yaml |
Changes Default Valuesdiff -U 4 -r out-default-values/target/backstage_backstage_default-values.out out-default-values/pr/backstage_backstage_default-values.out
--- out-default-values/target/backstage_backstage_default-values.out 2024-11-22 16:44:44.936344870 +0000
+++ out-default-values/pr/backstage_backstage_default-values.out 2024-11-22 16:44:11.540508575 +0000
@@ -277,8 +277,12 @@
# operator: "Equal|Exists"
# value: "value"
# effect: "NoSchedule|PreferNoSchedule|NoExecute"
+ # -- Host Aliases for the pod
+ # <br /> Ref: https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
+ hostAliases: []
+
# -- Annotations to add to the backend deployment pods
podAnnotations: {}
# -- Labels to add to the backend deployment pods
@@ -460,4 +464,8 @@
# -- ServiceMonitor endpoint path
# <br /> Note that the /metrics endpoint is NOT present in a freshly scaffolded Backstage app. To setup, follow the [Prometheus metrics tutorial](https://github.com/backstage/backstage/blob/master/contrib/docs/tutorials/prometheus-metrics.md).
path: /metrics
+ # -- ServiceMonitor endpoint port
+ # <br /> The port where the metrics are exposed. If using OpenTelemetry as [documented here](https://backstage.io/docs/tutorials/setup-opentelemetry/), then the port needs to be explicitely specificed. OpenTelemetry's default port is 9464.
+ port: http-backend
+
diff -U 4 -r out-default-values/target/external-secrets_external-secrets_default-values.out out-default-values/pr/external-secrets_external-secrets_default-values.out
--- out-default-values/target/external-secrets_external-secrets_default-values.out 2024-11-22 16:44:48.124329843 +0000
+++ out-default-values/pr/external-secrets_external-secrets_default-values.out 2024-11-22 16:44:15.984493130 +0000
@@ -42,8 +42,9 @@
# -- If true, create CRDs for Push Secret.
createPushSecret: true
annotations: {}
conversion:
+ # -- If webhook is set to false this also needs to be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint.
enabled: true
imagePullSecrets: []
nameOverride: ""
diff -U 4 -r out-default-values/target/falco_falco_default-values.out out-default-values/pr/falco_falco_default-values.out
--- out-default-values/target/falco_falco_default-values.out 2024-11-22 16:44:49.992317126 +0000
+++ out-default-values/pr/falco_falco_default-values.out 2024-11-22 16:44:18.448483175 +0000
@@ -391,9 +391,9 @@
# In such a case, only the ID, name, namespace, labels of the pod will be available.
enabled: false
# --pluginRef is the OCI reference for the k8smeta plugin. It could be a full reference such as:
# "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0". Or just name + tag: k8smeta:0.1.0.
- pluginRef: "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.2.0"
+ pluginRef: "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.2.1"
# -- collectorHostname is the address of the k8s-metacollector. When not specified it will be set to match
# k8s-metacollector service. e.x: falco-k8smetacollecto.falco.svc. If for any reason you need to override
# it, make sure to set here the address of the k8s-metacollector.
# It is used by the k8smeta plugin to connect to the k8s-metacollector.
@@ -401,8 +401,15 @@
# -- collectorPort designates the port on which the k8s-metacollector gRPC service listens. If not specified
# the value of the port named `broker-grpc` in k8s-metacollector.service.ports is used. The default values is 45000.
# It is used by the k8smeta plugin to connect to the k8s-metacollector.
collectorPort: ""
+ # verbosity level for the plugin logger: trace, debug, info, warning, error, critical.
+ verbosity: info
+ # The plugin needs to scan the '/proc' of the host on which is running.
+ # In Falco usually we put the host '/proc' folder under '/host/proc' so
+ # the default for this config is '/host'.
+ # The path used here must not have a final '/'.
+ hostProc: /host
###########################
# Extras and customization #
diff -U 4 -r out-default-values/target/grafana_grafana_default-values.out out-default-values/pr/grafana_grafana_default-values.out
--- out-default-values/target/grafana_grafana_default-values.out 2024-11-22 16:44:52.312299087 +0000
+++ out-default-values/pr/grafana_grafana_default-values.out 2024-11-22 16:44:20.736472957 +0000
@@ -113,8 +113,12 @@
# - myRegistrKeySecretName
testFramework:
enabled: true
+ ## The type of Helm hook used to run this test. Defaults to test.
+ ## ref: https://helm.sh/docs/topics/charts_hooks/#the-available-hooks
+ ##
+ # hookType: test
image:
# -- The Docker registry
registry: docker.io
repository: bats/bats
@@ -306,8 +310,44 @@
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
+# -- BETA: Configure the gateway routes for the chart here.
+# More routes can be added by adding a dictionary key like the 'main' route.
+# Be aware that this is an early beta of this feature,
+# kube-prometheus-stack does not guarantee this works and is subject to change.
+# Being BETA this can/will change in the future without notice, do not use unless you want to take that risk
+# [[ref]](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1alpha2)
+route:
+ main:
+ # -- Enables or disables the route
+ enabled: false
+
+ # -- Set the route apiVersion, e.g. gateway.networking.k8s.io/v1 or gateway.networking.k8s.io/v1alpha2
+ apiVersion: gateway.networking.k8s.io/v1
+ # -- Set the route kind
+ # Valid options are GRPCRoute, HTTPRoute, TCPRoute, TLSRoute, UDPRoute
+ kind: HTTPRoute
+
+ annotations: {}
+ labels: {}
+
+ hostnames: []
+ # - my-filter.example.com
+ parentRefs: []
+ # - name: acme-gw
+
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
+ ## Filters define the filters that are applied to requests that match this rule.
+ filters: []
+
+ ## Additional custom rules that can be added to the route
+ additionalRules: []
+
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
diff -U 4 -r out-default-values/target/k8s-monitoring_k8s-monitoring_default-values.out out-default-values/pr/k8s-monitoring_k8s-monitoring_default-values.out
--- out-default-values/target/k8s-monitoring_k8s-monitoring_default-values.out 2024-11-22 16:44:56.184279390 +0000
+++ out-default-values/pr/k8s-monitoring_k8s-monitoring_default-values.out 2024-11-22 16:44:24.724455150 +0000
@@ -57,9 +57,9 @@
# -- Custom labels to be added to all time series through a dynamic reference.
# All values are treated as raw strings and not quoted.
# @section -- External Services (Prometheus)
externalLabelsFrom: {}
- # -- Rule blocks to be added to the [write_relabel_config block](https://grafana.com/docs/alloy/latest/reference/components/prometheus.remote_write/#write_relabel_config-block)
+ # -- Rule blocks to be added to the [write_relabel_config block](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.remote_write/#write_relabel_config-block)
# of the prometheus.remote_write component.
# @section -- External Services (Prometheus)
writeRelabelConfigRules: ""
@@ -166,9 +166,9 @@
# -- Configure the Key for Prometheus Remote Write SigV4 Secret Key secret
# @section -- External Services (Prometheus)
secretKeyKey: "secretKey"
# Configure the Prometheus Remote Write Queue
- # [docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.remote_write/#queue_config-block)
+ # [docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.remote_write/#queue_config-block)
queue_config:
# -- Number of samples to buffer per shard.
# @default -- 10000
# @section -- External Services (Prometheus)
@@ -218,11 +218,11 @@
# @section -- External Services (Prometheus)
namespace: ""
# -- TLS settings to configure for the metrics service, compatible with
- # [remoteWrite protocol](https://grafana.com/docs/alloy/latest/reference/components/prometheus.remote_write/#tls_config-block),
- # [otlp](https://grafana.com/docs/alloy/latest/reference/components/otelcol.exporter.otlp/#tls-block), or
- # [otlphttp](https://grafana.com/docs/alloy/latest/reference/components/otelcol.exporter.otlphttp/#tls-block) protocols
+ # [remoteWrite protocol](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.remote_write/#tls_config-block),
+ # [otlp](https://grafana.com/docs/alloy/latest/reference/components/otelcol/otelcol.exporter.otlp/#tls-block), or
+ # [otlphttp](https://grafana.com/docs/alloy/latest/reference/components/otelcol/otelcol.exporter.otlphttp/#tls-block) protocols
# @section -- External Services (Prometheus)
tls: {}
# Metric processor settings. Only applies when protocol is "otlp" or "otlphttp"
@@ -317,9 +317,9 @@
# -- The key for the tenant ID property in the secret
# @section -- External Services (Loki)
tenantIdKey: tenantId
- # -- one of "none", "basic", "oauth2"
+ # -- one of "none", "basic", "oauth2", "bearerToken"
# @section -- External Services (Loki)
authMode: basic
# Authenticate to Loki using basic authentication
@@ -376,8 +376,20 @@
# -- URL to fetch the token from.
# @section -- External Services (Loki)
tokenURL: ""
+ # Authenticate to Loki using bearerToken or bearerTokenFile
+ bearerToken:
+ # -- Configure the Loki Bearer Token
+ # @section -- External Services (Loki)
+ token: ""
+ # -- Configure the Key for Loki Bearer Token secret
+ # @section -- External Services (Loki)
+ tokenKey: "bearerToken"
+ # -- Configure the Loki Bearer Token file
+ # @section -- External Services (Loki)
+ tokenFile: ""
+
# Credential management
secret:
# -- Should this Helm chart create the secret. If false, you must define the name and namespace values.
# @section -- External Services (Loki)
@@ -388,9 +400,9 @@
# -- The namespace of the secret.
# @section -- External Services (Loki)
namespace: ""
- # -- [TLS settings](https://grafana.com/docs/alloy/latest/reference/components/loki.write/#tls_config-block) to configure for the logs service.
+ # -- [TLS settings](https://grafana.com/docs/alloy/latest/reference/components/loki/loki.write/#tls_config-block) to configure for the logs service.
# @section -- External Services (Loki)
tls: {}
# Log processor settings. Only applies when protocol is "otlp" or "otlphttp"
@@ -451,9 +463,9 @@
# -- The key for the tenant ID property in the secret
# @section -- External Services (Tempo)
tenantIdKey: tenantId
- # -- one of "none", "basic"
+ # -- one of "none", "basic", "bearerToken"
# @section -- External Services (Tempo)
authMode: basic
# Authenticate to Tempo using basic authentication
@@ -470,8 +482,17 @@
# -- The key for the password property in the secret
# @section -- External Services (Tempo)
passwordKey: password
+ # Authenticate to Tempo using bearerToken
+ bearerToken:
+ # -- Configure the Tempo Bearer Token
+ # @section -- External Services (Tempo)
+ token: ""
+ # -- Configure the Key for Tempo Bearer Token secret
+ # @section -- External Services (Tempo)
+ tokenKey: "bearerToken"
+
# Credential management
secret:
# -- Should this Helm chart create the secret. If false, you must define the name and namespace values.
# @section -- External Services (Tempo)
@@ -482,13 +503,13 @@
# -- The namespace of the secret.
# @section -- External Services (Tempo)
namespace: ""
- # -- [TLS settings](https://grafana.com/docs/alloy/latest/reference/components/otelcol.exporter.otlp/#tls-block) to configure for the traces service.
+ # -- [TLS settings](https://grafana.com/docs/alloy/latest/reference/components/otelcol/otelcol.exporter.otlp/#tls-block) to configure for the traces service.
# @section -- External Services (Tempo)
tls: {}
- # -- Define the [TLS block](https://grafana.com/docs/alloy/latest/reference/components/otelcol.exporter.otlp/#tls-block).
+ # -- Define the [TLS block](https://grafana.com/docs/alloy/latest/reference/components/otelcol/otelcol.exporter.otlp/#tls-block).
# Example:
# `tlsOptions: insecure = true`
# This option will be deprecated and removed soon. Please switch to `tls` and use yaml format.
# @section -- External Services (Tempo)
@@ -570,9 +591,9 @@
# -- The namespace of the secret.
# @section -- External Services (Pyroscope)
namespace: ""
- # -- [TLS settings](https://grafana.com/docs/alloy/latest/reference/components/pyroscope.write/#tls_config-block) to configure for the profiles service.
+ # -- [TLS settings](https://grafana.com/docs/alloy/latest/reference/components/pyroscope/pyroscope.write/#tls_config-block) to configure for the profiles service.
# @section -- External Services (Pyroscope)
tls: {}
# Settings related to capturing and forwarding metrics
@@ -584,23 +605,23 @@
# -- How frequently to scrape metrics
# @section -- Metrics Global Settings
scrapeInterval: 60s
- # -- Sets the max_cache_size for every prometheus.relabel component. ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#arguments))
+ # -- Sets the max_cache_size for every prometheus.relabel component. ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#arguments))
# This should be at least 2x-5x your largest scrape target or samples appended rate.
# @section -- Metrics Global Settings
maxCacheSize: 100000
# -- Rule blocks to be added to the discovery.relabel component for all metric sources.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Metrics Global Settings
extraRelabelingRules: ""
# -- Rule blocks to be added to the prometheus.relabel component for all metric sources.
# These relabeling rules are applied post-scrape against the metrics returned from the scraped target, no `__meta*` labels are present.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#rule-block))
# @section -- Metrics Global Settings
extraMetricRelabelingRules: ""
# Annotation-based auto-discovery allows for discovering metric sources solely on their annotations and does
@@ -618,15 +639,15 @@
# -- Rule blocks to be added to the discovery.relabel component for auto-discovered entities.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Metrics Job: Auto-Discovery
extraRelabelingRules: ""
# -- Rule blocks to be added to the prometheus.relabel component for auto-discovered entities.
# These relabeling rules are applied post-scrape against the metrics returned from the scraped target, no `__meta*` labels are present.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#rule-block))
# @section -- Metrics Job: Auto-Discovery
extraMetricRelabelingRules: ""
# Adjustments to the scraped metrics to filter the amount of data sent to storage.
@@ -668,9 +689,9 @@
metricsScrapeInterval: "k8s.grafana.com/metrics.scrapeInterval"
# -- Sets the max_cache_size for cadvisor prometheus.relabel component.
# This should be at least 2x-5x your largest scrape target or samples appended rate.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#arguments))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#arguments))
# Overrides metrics.maxCacheSize
# @raw
# @section -- Metrics Job: Auto-Discovery
maxCacheSize:
@@ -700,15 +721,15 @@
# -- Rule blocks to be added to the discovery.relabel component for Grafana Alloy.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Metrics Job: Alloy
extraRelabelingRules: ""
# -- Rule blocks to be added to the prometheus.relabel component for Grafana Alloy.
# These relabeling rules are applied post-scrape against the metrics returned from the scraped target, no `__meta*` labels are present.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#rule-block))
# @section -- Metrics Job: Alloy
extraMetricRelabelingRules: ""
# Adjustments to the scraped metrics to filter the amount of data sent to storage.
@@ -728,9 +749,9 @@
excludeMetrics: []
# -- Sets the max_cache_size for cadvisor prometheus.relabel component.
# This should be at least 2x-5x your largest scrape target or samples appended rate.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#arguments))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#arguments))
# Overrides metrics.maxCacheSize
# @raw
# @section -- Metrics Job: Alloy
maxCacheSize:
@@ -754,15 +775,15 @@
# -- Rule blocks to be added to the discovery.relabel component for Kube State Metrics.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Metrics Job: Kube State Metrics
extraRelabelingRules: ""
# -- Rule blocks to be added to the prometheus.relabel component for Kube State Metrics.
# These relabeling rules are applied post-scrape against the metrics returned from the scraped target, no `__meta*` labels are present.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#rule-block))
# @section -- Metrics Job: Kube State Metrics
extraMetricRelabelingRules: ""
# Kube State Metrics service settings
@@ -788,9 +809,9 @@
excludeMetrics: []
# -- Sets the max_cache_size for cadvisor prometheus.relabel component.
# This should be at least 2x-5x your largest scrape target or samples appended rate.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#arguments))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#arguments))
# Overrides metrics.maxCacheSize
# @raw
# @section -- Metrics Job: Kube State Metrics
maxCacheSize:
@@ -815,15 +836,15 @@
# -- Rule blocks to be added to the discovery.relabel component for Node Exporter.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Metrics Job: Node Exporter
extraRelabelingRules: ""
# -- Rule blocks to be added to the prometheus.relabel component for Node Exporter.
# These relabeling rules are applied post-scrape against the metrics returned from the scraped target, no `__meta*` labels are present.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#rule-block))
# @section -- Metrics Job: Node Exporter
extraMetricRelabelingRules: ""
# Node Exporter service settings
@@ -852,9 +873,9 @@
dropMetricsForFilesystem: [tempfs]
# -- Sets the max_cache_size for cadvisor prometheus.relabel component.
# This should be at least 2x-5x your largest scrape target or samples appended rate.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#arguments))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#arguments))
# Overrides metrics.maxCacheSize
# @raw
# @section -- Metrics Job: Node Exporter
maxCacheSize:
@@ -878,15 +899,15 @@
# -- Rule blocks to be added to the discovery.relabel component for Windows Exporter.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Metrics Job: Windows Exporter
extraRelabelingRules: ""
# -- Rule blocks to be added to the prometheus.relabel component for Windows Exporter.
# These relabeling rules are applied post-scrape against the metrics returned from the scraped target, no `__meta*` labels are present.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#rule-block))
# @section -- Metrics Job: Windows Exporter
extraMetricRelabelingRules: ""
# Adjustments to the scraped metrics to filter the amount of data sent to storage.
@@ -903,9 +924,9 @@
excludeMetrics: []
# -- Sets the max_cache_size for cadvisor prometheus.relabel component.
# This should be at least 2x-5x your largest scrape target or samples appended rate.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#arguments))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#arguments))
# Overrides metrics.maxCacheSize
# @raw
# @section -- Metrics Job: Windows Exporter
maxCacheSize:
@@ -928,15 +949,15 @@
# -- Rule blocks to be added to the discovery.relabel component for Kubelet.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Metrics Job: Kubelet
extraRelabelingRules: ""
# -- Rule blocks to be added to the prometheus.relabel component for Kubelet.
# These relabeling rules are applied post-scrape against the metrics returned from the scraped target, no `__meta*` labels are present.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#rule-block))
# @section -- Metrics Job: Kubelet
extraMetricRelabelingRules: ""
# Adjustments to the scraped metrics to filter the amount of data sent to storage.
@@ -953,9 +974,9 @@
excludeMetrics: []
# -- Sets the max_cache_size for cadvisor prometheus.relabel component.
# This should be at least 2x-5x your largest scrape target or samples appended rate.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#arguments))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#arguments))
# Overrides metrics.maxCacheSize
# @raw
# @section -- Metrics Job: Kubelet
maxCacheSize:
@@ -978,15 +999,15 @@
# -- Rule blocks to be added to the discovery.relabel component for Kubelet Resources.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Metrics Job: Kubelet Resources
extraRelabelingRules: ""
# -- Rule blocks to be added to the prometheus.relabel component for Kubelet Resources.
# These relabeling rules are applied post-scrape against the metrics returned from the scraped target, no `__meta*` labels are present.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#rule-block))
# @section -- Metrics Job: Kubelet Resources
extraMetricRelabelingRules: ""
# Adjustments to the scraped metrics to filter the amount of data sent to storage.
@@ -1003,9 +1024,9 @@
excludeMetrics: []
# -- Sets the max_cache_size for cadvisor prometheus.relabel component.
# This should be at least 2x-5x your largest scrape target or samples appended rate.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#arguments))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#arguments))
# Overrides metrics.maxCacheSize
# @raw
# @section -- Metrics Job: Kubelet Resources
maxCacheSize:
@@ -1028,15 +1049,15 @@
# -- Rule blocks to be added to the discovery.relabel component for cAdvisor.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Metrics Job: cAdvisor
extraRelabelingRules: ""
# -- Rule blocks to be added to the prometheus.relabel component for cAdvisor.
# These relabeling rules are applied post-scrape against the metrics returned from the scraped target, no `__meta*` labels are present.
- # # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#rule-block))
+ # # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#rule-block))
# @section -- Metrics Job: cAdvisor
extraMetricRelabelingRules: ""
# Adjustments to the scraped metrics to filter the amount of data sent to storage.
@@ -1070,9 +1091,9 @@
keepPhysicalNetworkDevices: ["en[ospx][0-9].*", "wlan[0-9].*", "eth[0-9].*"]
# -- Sets the max_cache_size for cadvisor prometheus.relabel component.
# This should be at least 2x-5x your largest scrape target or samples appended rate.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#arguments))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#arguments))
# Overrides metrics.maxCacheSize
# @raw
# @section -- Metrics Job: cAdvisor
maxCacheSize:
@@ -1091,15 +1112,15 @@
# -- Rule blocks to be added to the discovery.relabel component for the API Server.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Metrics Job: ApiServer
extraRelabelingRules: ""
# -- Rule blocks to be added to the prometheus.relabel component for the API Server.
# These relabeling rules are applied post-scrape against the metrics returned from the scraped target, no `__meta*` labels are present.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#rule-block))
# @section -- Metrics Job: ApiServer
extraMetricRelabelingRules: ""
# Adjustments to the scraped metrics to filter the amount of data sent to storage.
@@ -1112,9 +1133,9 @@
excludeMetrics: []
# -- Sets the max_cache_size for cadvisor prometheus.relabel component.
# This should be at least 2x-5x your largest scrape target or samples appended rate.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#arguments))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#arguments))
# Overrides metrics.maxCacheSize
# @raw
# @section -- Metrics Job: ApiServer
maxCacheSize:
@@ -1138,15 +1159,15 @@
# -- Rule blocks to be added to the discovery.relabel component for the Kube Controller Manager.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Metrics Job: Kube Controller Manager
extraRelabelingRules: ""
# -- Rule blocks to be added to the prometheus.relabel component for the Kube Controller Manager.
# These relabeling rules are applied post-scrape against the metrics returned from the scraped target, no `__meta*` labels are present.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#rule-block))
# @section -- Metrics Job: Kube Controller Manager
extraMetricRelabelingRules: ""
# Adjustments to the scraped metrics to filter the amount of data sent to storage.
@@ -1159,9 +1180,9 @@
excludeMetrics: []
# -- Sets the max_cache_size for cadvisor prometheus.relabel component.
# This should be at least 2x-5x your largest scrape target or samples appended rate.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#arguments))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#arguments))
# Overrides metrics.maxCacheSize
# @raw
# @section -- Metrics Job: Kube Controller Manager
maxCacheSize:
@@ -1185,15 +1206,15 @@
# -- Rule blocks to be added to the discovery.relabel component for the Kube Proxy.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Metrics Job: Kube Proxy
extraRelabelingRules: ""
# -- Rule blocks to be added to the prometheus.relabel component for the Kube Proxy.
# These relabeling rules are applied post-scrape against the metrics returned from the scraped target, no `__meta*` labels are present.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#rule-block))
# @section -- Metrics Job: Kube Proxy
extraMetricRelabelingRules: ""
# Adjustments to the scraped metrics to filter the amount of data sent to storage.
@@ -1206,9 +1227,9 @@
excludeMetrics: []
# -- Sets the max_cache_size for cadvisor prometheus.relabel component.
# This should be at least 2x-5x your largest scrape target or samples appended rate.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#arguments))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#arguments))
# Overrides metrics.maxCacheSize
# @raw
# @section -- Metrics Job: Kube Proxy
maxCacheSize:
@@ -1232,15 +1253,15 @@
# -- Rule blocks to be added to the discovery.relabel component for the Kube Scheduler.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Metrics Job: Kube Scheduler
extraRelabelingRules: ""
# -- Rule blocks to be added to the prometheus.relabel component for the Kube Scheduler.
# These relabeling rules are applied post-scrape against the metrics returned from the scraped target, no `__meta*` labels are present.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#rule-block))
# @section -- Metrics Job: Kube Scheduler
extraMetricRelabelingRules: ""
# Adjustments to the scraped metrics to filter the amount of data sent to storage.
@@ -1253,9 +1274,9 @@
excludeMetrics: []
# -- Sets the max_cache_size for cadvisor prometheus.relabel component.
# This should be at least 2x-5x your largest scrape target or samples appended rate.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#arguments))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#arguments))
# Overrides metrics.maxCacheSize
# @raw
# @section -- Metrics Job: Kube Scheduler
maxCacheSize:
@@ -1280,15 +1301,15 @@
# -- Rule blocks to be added to the discovery.relabel component for OpenCost.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Metrics Job: OpenCost
extraRelabelingRules: ""
# -- Rule blocks to be added to the prometheus.relabel component for OpenCost.
# These relabeling rules are applied post-scrape against the metrics returned from the scraped target, no `__meta*` labels are present.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#rule-block))
# @section -- Metrics Job: OpenCost
extraMetricRelabelingRules: ""
# Adjustments to the scraped metrics to filter the amount of data sent to storage.
@@ -1305,9 +1326,9 @@
excludeMetrics: []
# -- Sets the max_cache_size for cadvisor prometheus.relabel component.
# This should be at least 2x-5x your largest scrape target or samples appended rate.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#arguments))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#arguments))
# Overrides metrics.maxCacheSize
# @raw
# @section -- Metrics Job: OpenCost
maxCacheSize:
@@ -1331,13 +1352,13 @@
# -- Rule blocks to be added to the discovery.relabel component for Kepler.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# Before the scrape, any remaining target labels that start with __ (i.e. __meta_kubernetes*) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Metrics Job: Kepler
extraRelabelingRules: ""
- # -- Rule blocks to be added to the prometheus.relabel component for Kepler. ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#rule-block))
+ # -- Rule blocks to be added to the prometheus.relabel component for Kepler. ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#rule-block))
# These relabeling rules are applied post-scrape against the metrics returned from the scraped target, no __meta* labels are present.
# @section -- Metrics Job: Kepler
extraMetricRelabelingRules: ""
@@ -1356,9 +1377,9 @@
excludeMetrics: []
# -- Sets the max_cache_size for the prometheus.relabel component for Kepler.
# This should be at least 2x-5x your largest scrape target or samples appended rate.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#arguments))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#arguments))
# Overrides metrics.maxCacheSize
# @default -- 100000
# @section -- Metrics Job: Kepler
maxCacheSize:
@@ -1381,13 +1402,13 @@
# -- Rule blocks to be added to the discovery.relabel component for Beyla.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# Before the scrape, any remaining target labels that start with __ (i.e. __meta_kubernetes*) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Metrics Job: Beyla
extraRelabelingRules: ""
- # -- Rule blocks to be added to the prometheus.relabel component for Beyla. ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#rule-block))
+ # -- Rule blocks to be added to the prometheus.relabel component for Beyla. ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#rule-block))
# These relabeling rules are applied post-scrape against the metrics returned from the scraped target, no __meta* labels are present.
# @section -- Metrics Job: Beyla
extraMetricRelabelingRules: ""
@@ -1402,9 +1423,9 @@
excludeMetrics: []
# -- Sets the max_cache_size for the prometheus.relabel component for Beyla.
# This should be at least 2x-5x your largest scrape target or samples appended rate.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#arguments))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#arguments))
# Overrides metrics.maxCacheSize
# @default -- 100000
# @section -- Metrics Job: Beyla
maxCacheSize:
@@ -1432,21 +1453,21 @@
# -- Rule blocks to be added to the prometheus.operator.podmonitors component for PodMonitors.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# The relabelings defined in the PodMonitor object are applied first, then these relabelings are applied.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Metrics Job: Prometheus Operator (PodMonitors)
extraRelabelingRules: ""
# -- Rule blocks to be added to the prometheus.relabel component for PodMonitor objects.
# These relabeling rules are applied post-scrape against the metrics returned from the scraped target, no `__meta*` labels are present.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#rule-block))
# @section -- Metrics Job: Prometheus Operator (PodMonitors)
extraMetricRelabelingRules: ""
# -- Sets the max_cache_size for cadvisor prometheus.relabel component.
# This should be at least 2x-5x your largest scrape target or samples appended rate.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#arguments))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#arguments))
# Overrides metrics.maxCacheSize
# @raw
# @section -- Metrics Job: Prometheus Operator (PodMonitors)
maxCacheSize:
@@ -1474,21 +1495,21 @@
# -- Rule blocks to be added to the prometheus.operator.probes component for Probes.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# The relabelings defined in the PodMonitor object are applied first, then these relabelings are applied.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Metrics Job: Prometheus Operator (Probes)
extraRelabelingRules: ""
# -- Rule blocks to be added to the prometheus.relabel component for Probe objects.
# These relabeling rules are applied post-scrape against the metrics returned from the scraped target, no `__meta*` labels are present.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#rule-block))
# @section -- Metrics Job: Prometheus Operator (Probes)
extraMetricRelabelingRules: ""
# -- Sets the max_cache_size for cadvisor prometheus.relabel component.
# This should be at least 2x-5x your largest scrape target or samples appended rate.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#arguments))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#arguments))
# Overrides metrics.maxCacheSize
# @raw
# @section -- Metrics Job: Prometheus Operator (Probes)
maxCacheSize:
@@ -1516,21 +1537,21 @@
# -- Rule blocks to be added to the prometheus.operator.probes component for Probes.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# The relabelings defined in the PodMonitor object are applied first, then these relabelings are applied.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Metrics Job: Prometheus Operator (ServiceMonitors)
extraRelabelingRules: ""
# -- Rule blocks to be added to the prometheus.relabel component for ServiceMonitor objects.
# These relabeling rules are applied post-scrape against the metrics returned from the scraped target, no `__meta*` labels are present.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#rule-block))
# @section -- Metrics Job: Prometheus Operator (ServiceMonitors)
extraMetricRelabelingRules: ""
# -- Sets the max_cache_size for cadvisor prometheus.relabel component.
# This should be at least 2x-5x your largest scrape target or samples appended rate.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#arguments))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus/prometheus.relabel/#arguments))
# Overrides metrics.maxCacheSize
# @raw
# @section -- Metrics Job: Prometheus Operator (ServiceMonitors)
maxCacheSize:
@@ -1550,9 +1571,9 @@
# Modules can be invoked using metrics.extraConfig, this block is consuming opinionated modules from the grafana/alloy-modules repository
# or any other repository that follows the same module structure. Each module is expected to have a "kubernetes" module and a "scrape" module.
alloyModules:
# -- List of connection configurations used by modules. Configures the import.git component
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/import.git/)
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/import/import.git/)
# <br>- `alias: ""` the alias of the connection
# <br>- `repository: ""` URL of the Git repository containing the module.
# <br>- `revision: ""` Branch, tag, or commit to be checked out.
# <br>- `pull_frequency: 15m` How often the module should check for updates.
@@ -1585,17 +1606,17 @@
# Settings related to metrics ingested via receivers
# @section -- Metrics -> OTEL Receivers
receiver:
# -- Apply a filter to metrics received via the OTLP or OTLP HTTP receivers.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/otelcol.processor.filter/))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/otelcol/otelcol.processor.filter/))
# @section -- Metrics Receivers
filters:
# @section -- Metrics Receivers
metric: []
# @section -- Metrics Receivers
datapoint: []
# -- Apply a transformation to metrics received via the OTLP or OTLP HTTP receivers.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/otelcol.processor.transform/))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/otelcol/otelcol.processor.transform/))
# @section -- Metrics Receivers
transforms:
# @section -- Metrics Receivers
resource: []
@@ -1642,9 +1663,9 @@
# -- Rule blocks to be added to the discovery.relabel component for pod logs.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Logs Scrape: Pod Logs
extraRelabelingRules: ""
# -- Controls the behavior of gathering pod logs.
@@ -1655,9 +1676,9 @@
# @section -- Logs Scrape: Pod Logs
gatherMethod: "volumes"
# -- Stage blocks to be added to the loki.process component for pod logs.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/loki.process/#blocks))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/loki/loki.process/#blocks))
# This value is templated so that you can refer to other values from this file.
# @section -- Logs Scrape: Pod Logs
extraStageBlocks: ""
@@ -1693,9 +1714,9 @@
# @section -- Logs Scrape: PodLog Objects
selector: ""
# -- Stage blocks to be added to the loki.process component for logs gathered via PodLogs objects.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/loki.process/#blocks))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/loki/loki.process/#blocks))
# This value is templated so that you can refer to other values from this file.
# @section -- Logs Scrape: PodLog Objects
extraStageBlocks: ""
@@ -1713,9 +1734,9 @@
# @section -- Logs Scrape: Cluster Events
namespaces: []
# -- Stage blocks to be added to the loki.process component for cluster events.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/loki.process/#blocks))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/loki/loki.process/#blocks))
# This value is templated so that you can refer to other values from this file.
# @section -- Logs Scrape: Cluster Events
extraStageBlocks: ""
@@ -1759,17 +1780,17 @@
# - docker.service
# - containerd.service
# -- Stage blocks to be added to the loki.process component for journal logs.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/loki.process/#blocks))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/loki/loki.process/#blocks))
# This value is templated so that you can refer to other values from this file.
# @section -- Logs Scrape: Journal
extraStageBlocks: ""
# -- Rule blocks to be added used with the loki.source.journal component for journal logs.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# **Note:** Many field names from journald start with an `_`, such as `_systemd_unit`. The final internal label name would
# be `__journal__systemd_unit`, with two underscores between `__journal` and `systemd_unit`.
# @section -- Logs Scrape: Pod Logs
extraRelabelingRules: ""
@@ -1777,15 +1798,15 @@
# Settings related to logs ingested via receivers
# @section -- Logs -> OTEL Receiver
receiver:
# -- Apply a filter to logs received via the OTLP or OTLP HTTP receivers.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/otelcol.processor.filter/))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/otelcol/otelcol.processor.filter/))
# @section -- Logs Receiver
filters:
# @section -- Logs Receiver
log_record: []
# -- Apply a transformation to logs received via the OTLP or OTLP HTTP receivers.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/otelcol.processor.transform/))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/otelcol/otelcol.processor.transform/))
# @section -- Logs Receiver
transforms:
# -- Resource transformation rules.
# @section -- Logs Receiver
@@ -1812,9 +1833,9 @@
# Settings related to traces ingested via receivers
receiver:
# -- Apply a filter to traces received via the OTLP or OTLP HTTP receivers.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/otelcol.processor.filter/))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/otelcol/otelcol.processor.filter/))
# @section -- Traces
filters:
# @section -- Traces
span:
@@ -1823,9 +1844,9 @@
- attributes["http.route"] == "/ready"
# @section -- Traces
spanevent: []
# -- Apply a transformation to traces received via the OTLP or OTLP HTTP receivers.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/otelcol.processor.transform/))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/otelcol/otelcol.processor.transform/))
# @section -- Traces
transforms:
# @section -- Traces
resource: []
@@ -1853,9 +1874,9 @@
# -- Rule blocks to be added to the discovery.relabel component for eBPF profile sources.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Profiles (eBPF)
extraRelabelingRules: ""
# -- C++ demangle mode. Available options are: none, simplified, templates, full
@@ -1871,9 +1892,9 @@
# @section -- Profiles (java)
namespaces: []
# -- Rule blocks to be added to the discovery.relabel component for Java profile sources.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Profiles (java)
extraRelabelingRules: ""
# -- Configuration for the async-profiler
@@ -1896,9 +1917,9 @@
# -- Rule blocks to be added to the discovery.relabel component for eBPF profile sources.
# These relabeling rules are applied pre-scrape against the targets from service discovery.
# Before the scrape, any remaining target labels that start with `__` (i.e. `__meta_kubernetes*`) are dropped.
- # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery.relabel/#rule-block))
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/discovery/discovery.relabel/#rule-block))
# @section -- Profiles (pprof)
extraRelabelingRules: ""
# -- Profile types to gather
@@ -1928,9 +1949,9 @@
# -- Which port to use for the OTLP/gRPC receiver. This port needs to be opened in the alloy section below.
# @section -- OTEL Receivers (gRPC)
port: 4317
- # -- [TLS settings](https://grafana.com/docs/alloy/latest/reference/components/otelcol.receiver.otlp/#tls-block) to configure for the OTLP/gRPC receiver.
+ # -- [TLS settings](https://grafana.com/docs/alloy/latest/reference/components/otelcol/otelcol.receiver.otlp/#tls-block) to configure for the OTLP/gRPC receiver.
# @section -- OTEL Receivers (gRPC)
tls: {}
# -- It removes attributes which could cause high cardinality metrics. For example, attributes with IP addresses and port numbers in metrics about HTTP and gRPC connections will be removed.
@@ -1945,9 +1966,9 @@
# -- Which port to use for the OTLP/HTTP receiver. This port needs to be opened in the alloy section below.
# @section -- OTEL Receivers (HTTP)
port: 4318
- # -- [TLS settings](https://grafana.com/docs/alloy/latest/reference/components/otelcol.receiver.otlp/#tls-block) to configure for the OTLP/HTTP receiver.
+ # -- [TLS settings](https://grafana.com/docs/alloy/latest/reference/components/otelcol/otelcol.receiver.otlp/#tls-block) to configure for the OTLP/HTTP receiver.
# @section -- OTEL Receivers (HTTP)
tls: {}
# -- It removes attributes which could cause high cardinality metrics. For example, attributes with IP addresses and port numbers in metrics about HTTP and gRPC connections will be removed.
@@ -1994,9 +2015,9 @@
# -- Which port to use for the Thrift HTTP receiver. This port needs to be opened in the alloy section below.
# @section -- OTEL Receivers (Jaeger)
port: 14268
- # -- [TLS settings](https://grafana.com/docs/alloy/latest/reference/components/otelcol.receiver.jaeger/#tls-block) to configure for the Jaeger receiver.
+ # -- [TLS settings](https://grafana.com/docs/alloy/latest/reference/components/otelcol/otelcol.receiver.jaeger/#tls-block) to configure for the Jaeger receiver.
# @section -- OTEL Receivers (Jaeger)
tls: {}
# -- It removes attributes which could cause high cardinality metrics. For example, attributes with IP addresses and port numbers in metrics about HTTP and gRPC connections will be removed.
@@ -2011,9 +2032,9 @@
# -- Which port to use for the Zipkin receiver. This port needs to be opened in the alloy section below.
# @section -- OTEL Receivers (Zipkin)
port: 9411
- # -- [TLS settings](https://grafana.com/docs/alloy/latest/reference/components/otelcol.receiver.zipkin/#tls-block) to configure for the Zipkin receiver.
+ # -- [TLS settings](https://grafana.com/docs/alloy/latest/reference/components/otelcol/otelcol.receiver.zipkin/#tls-block) to configure for the Zipkin receiver.
# @section -- OTEL Receivers (Zipkin)
tls: {}
# -- It removes attributes which could cause high cardinality metrics. For example, attributes with IP addresses and port numbers in metrics about HTTP and gRPC connections will be removed.
@@ -2058,8 +2079,42 @@
# -- Kubernetes annotations to extract and add to the attributes of the received telemetry data.
# @section -- OTEL Receivers (Processors)
annotations: []
+ # -- Apply an attributes processor to data received via OTLP/gRPC, OTLP/HTTP, Jaeger, or Zipkin receivers
+ # ([docs](https://grafana.com/docs/alloy/latest/reference/components/otelcol/otelcol.processor.attributes/))
+ # @section -- OTEL Receivers (Processors)
+ attributes:
+ # -- The list of attribute actions to include in the telemetry data.
+ # Example:
+ # actions:
+ # - key: "new_user_key"
+ # from_attribute: "user_key"
+ # action: "upsert"
+ # @section -- OTEL Receivers (Processors)
+ actions: []
+
+ # -- The list include data being fed into the action blocks based on the properties of a span, log, or metric records.
+ # @section -- OTEL Receivers (Processors)
+ include:
+ matchType: ""
+ logBodies: []
+ logSeverityTexts: []
+ metricNames: []
+ services: []
+ spanKinds: []
+ spanNames: []
+
+ # @section -- OTEL Receivers (Processors)
+ exclude:
+ matchType: ""
+ logBodies: []
+ logSeverityTexts: []
+ metricNames: []
+ services: []
+ spanKinds: []
+ spanNames: []
+
# Resource detection processor for OTLP/gRPC, OTLP/HTTP, Jaeger, or Zipkin receivers
resourcedetection:
# -- Read resource information from the OTEL_RESOURCE_ATTRIBUTES environment variable.
# @section -- OTEL Receivers (Processors)
@@ -2468,8 +2523,12 @@
# @ignored
podAnnotations:
k8s.grafana.com/logs.job: integrations/beyla
+ # @ignored -- Beyla can only install to Linux nodes
+ nodeSelector:
+ kubernetes.io/os: linux
+
# Settings for the Grafana Alloy instance that gathers metrics, and opens receivers for application data.
# See https://github.com/grafana/alloy/tree/main/operations/helm/charts/alloy for available values.
alloy:
# -- Deploy this Alloy instance. Only set this to false if you are not using metrics or any receivers.
diff -U 4 -r out-default-values/target/kyverno_kyverno_default-values.out out-default-values/pr/kyverno_kyverno_default-values.out
--- out-default-values/target/kyverno_kyverno_default-values.out 2024-11-22 16:45:00.644259108 +0000
+++ out-default-values/pr/kyverno_kyverno_default-values.out 2024-11-22 16:44:29.340434164 +0000
@@ -10,8 +10,14 @@
image:
# -- (string) Global value that allows to set a single image registry across all deployments.
# When set, it will override any values set under `.image.registry` across the chart.
registry: ~
+ # -- (list) Global list of Image pull secrets
+ # When set, it will override any values set under `imagePullSecrets` under different components across the chart.
+ imagePullSecrets: []
+
+ # -- Resync period for informers
+ resyncPeriod: 15m
caCertificates:
# -- Global CA certificates to use with Kyverno deployments
# This value is expected to be one large string of CA certificates
@@ -36,8 +42,11 @@
# -- Global node labels for pod assignment. Non-global values will override the global value.
nodeSelector: {}
+ # -- Global List of node taints to tolerate. Non-global values will override the global value.
+ tolerations: []
+
# -- (string) Override the name of the chart
nameOverride: ~
# -- (string) Override the expanded name of the chart
@@ -65,13 +74,9 @@
groups:
# -- Install CRDs in group `kyverno.io`
kyverno:
- admissionreports: true
- backgroundscanreports: true
cleanuppolicies: true
- clusteradmissionreports: true
- clusterbackgroundscanreports: true
clustercleanuppolicies: true
clusterpolicies: true
globalcontextentries: true
policies: true
@@ -102,13 +107,9 @@
enabled: true
# -- Resources to migrate
resources:
- - admissionreports.kyverno.io
- - backgroundscanreports.kyverno.io
- cleanuppolicies.kyverno.io
- - clusteradmissionreports.kyverno.io
- - clusterbackgroundscanreports.kyverno.io
- clustercleanuppolicies.kyverno.io
- clusterpolicies.kyverno.io
- globalcontextentries.kyverno.io
- policies.kyverno.io
@@ -225,16 +226,10 @@
- '[Binding,*,*]'
- '[Pod/binding,*,*]'
- '[ReplicaSet,*,*]'
- '[ReplicaSet/*,*,*]'
- - '[AdmissionReport,*,*]'
- - '[AdmissionReport/*,*,*]'
- - '[ClusterAdmissionReport,*,*]'
- - '[ClusterAdmissionReport/*,*,*]'
- - '[BackgroundScanReport,*,*]'
- - '[BackgroundScanReport/*,*,*]'
- - '[ClusterBackgroundScanReport,*,*]'
- - '[ClusterBackgroundScanReport/*,*,*]'
+ - '[EphemeralReport,*,*]'
+ - '[ClusterEphemeralReport,*,*]'
# exclude resources from the chart
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]'
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]'
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:additional]'
@@ -321,20 +316,21 @@
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.reports-controller.name" . }}]'
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
- # -- Defines the `namespaceSelector` in the webhook configurations.
- # Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element
- # will be forwarded to the webhook configurations.
+ # -- Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies.
+ updateRequestThreshold: 1000
+
+ # -- Defines the `namespaceSelector`/`objectSelector` in the webhook configurations.
# The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)
webhooks:
# Exclude namespaces
- - namespaceSelector:
- matchExpressions:
- - key: kubernetes.io/metadata.name
- operator: NotIn
- values:
- - kube-system
+ namespaceSelector:
+ matchExpressions:
+ - key: kubernetes.io/metadata.name
+ operator: NotIn
+ values:
+ - kube-system
# Exclude objects
# - objectSelector:
# matchExpressions:
# - key: webhooks.kyverno.io/exclude
@@ -400,15 +396,23 @@
# -- (list) Configures the bucket boundaries for all Histogram metrics, changing this configuration requires restart of the kyverno admission controller
bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 15, 20, 25, 30]
# -- (map) Configures the exposure of individual metrics, by default all metrics and all labels are exported, changing this configuration requires restart of the kyverno admission controller
- metricsExposure: ~
- # metricsExposure:
- # kyverno_policy_execution_duration_seconds:
- # disabledLabelDimensions: ["resource_kind", "resource_namespace", "resource_request_operation"]
- # bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5]
- # kyverno_admission_review_duration_seconds:
- # enabled: false
+ metricsExposure:
+ kyverno_policy_execution_duration_seconds:
+ # bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5]
+ disabledLabelDimensions: ["resource_namespace", "resource_request_operation"]
+ kyverno_admission_review_duration_seconds:
+ # enabled: false
+ disabledLabelDimensions: ["resource_namespace"]
+ kyverno_policy_rule_info_total:
+ disabledLabelDimensions: ["resource_namespace", "policy_namespace"]
+ kyverno_policy_results_total:
+ disabledLabelDimensions: ["resource_namespace", "policy_namespace"]
+ kyverno_admission_requests_total:
+ disabledLabelDimensions: ["resource_namespace"]
+ kyverno_cleanup_controller_deletedobjects_total:
+ disabledLabelDimensions: ["resource_namespace", "policy_namespace"]
# -- Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument
imagePullSecrets: {}
# regcred:
@@ -426,8 +430,10 @@
# - other-test-registry
# Tests configuration
test:
+ # -- Sleep time before running test
+ sleep: 20
image:
# -- (string) Image registry
registry: ~
@@ -439,8 +445,12 @@
# -- (string) Image pull policy
# Defaults to image.pullPolicy if omitted
pullPolicy: ~
+ # -- Image pull secrets
+ imagePullSecrets: []
+ # - name: secretName
+
resources:
# -- Pod resource limits
limits:
cpu: 100m
@@ -470,16 +480,20 @@
webhooksCleanup:
# -- Create a helm pre-delete hook to cleanup webhooks.
enabled: true
+ autoDeleteWebhooks:
+ # -- Allow webhooks controller to delete webhooks using finalizers
+ enabled: false
+
image:
# -- (string) Image registry
registry: ~
# -- Image repository
repository: bitnami/kubectl
# -- Image tag
# Defaults to `latest` if omitted
- tag: '1.28.5'
+ tag: '1.30.2'
# -- (string) Image pull policy
# Defaults to image.pullPolicy if omitted
pullPolicy: ~
@@ -534,9 +548,9 @@
# -- Image repository
repository: bitnami/kubectl
# -- Image tag
# Defaults to `latest` if omitted
- tag: '1.28.5'
+ tag: '1.30.2'
# -- (string) Image pull policy
# Defaults to image.pullPolicy if omitted
pullPolicy: ~
@@ -603,8 +617,10 @@
# -- create GrafanaDashboard custom resource referencing to the configMap.
# according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/
grafanaDashboard:
create: false
+ folder: kyverno
+ allowCrossNamespaceImport: true
matchLabels:
dashboards: "grafana"
# Features configuration
@@ -620,8 +636,19 @@
enabled: true
validatingAdmissionPolicyReports:
# -- Enables the feature
enabled: false
+ reporting:
+ # -- Enables the feature
+ validate: true
+ # -- Enables the feature
+ mutate: true
+ # -- Enables the feature
+ mutateExisting: true
+ # -- Enables the feature
+ imageVerify: true
+ # -- Enables the feature
+ generate: true
autoUpdateWebhooks:
# -- Enables the feature
enabled: true
backgroundScan:
@@ -647,8 +674,11 @@
enabled: false
generateValidatingAdmissionPolicy:
# -- Enables the feature
enabled: false
+ dumpPatches:
+ # -- Enables the feature
+ enabled: false
globalContext:
# -- Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended)
maxApiCallResponseLength: 2000000
logging:
@@ -664,10 +694,11 @@
# - PolicyViolation
# - PolicyError
policyExceptions:
# -- Enables the feature
- enabled: true
+ enabled: false
# -- Restrict policy exceptions to a single namespace
+ # Set to "*" to allow exceptions in all namespaces
namespace: ''
protectManagedResources:
# -- Enables the feature
enabled: false
@@ -680,419 +711,21 @@
- google
- amazon
- azure
- github
- reports:
- # -- Reports chunk size
- chunkSize: 0
ttlController:
# -- Reconciliation interval for the label based cleanup manager
reconciliationInterval: 1m
tuf:
# -- Enables the feature
enabled: false
- # -- (string) Tuf root
+ # -- (string) Path to Tuf root
root: ~
+ # -- (string) Raw Tuf root
+ rootRaw: ~
# -- (string) Tuf mirror
mirror: ~
-# Cleanup cronjobs to prevent internal resources from stacking up in the cluster
-cleanupJobs:
-
- admissionReports:
-
- # -- Enable cleanup cronjob
- enabled: true
-
- # -- Maximum number of retries before considering a Job as failed. Defaults to 3.
- backoffLimit: 3
-
- image:
- # -- (string) Image registry
- registry: ~
- # -- Image repository
- repository: bitnami/kubectl
- # -- Image tag
- # Defaults to `latest` if omitted
- tag: '1.28.5'
- # -- (string) Image pull policy
- # Defaults to image.pullPolicy if omitted
- pullPolicy: ~
-
- # -- Image pull secrets
- imagePullSecrets: []
- # - name: secretName
-
- # -- Cronjob schedule
- schedule: '*/10 * * * *'
-
- # -- Reports threshold, if number of reports are above this value the cronjob will start deleting them
- threshold: 10000
-
- # -- Cronjob history
- history:
- success: 1
- failure: 1
-
- # -- Security context for the pod
- podSecurityContext: {}
-
- # -- Security context for the containers
- securityContext:
- runAsNonRoot: true
- privileged: false
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- capabilities:
- drop:
- - ALL
- seccompProfile:
- type: RuntimeDefault
-
- # -- Pod PriorityClassName
- priorityClassName: ""
-
- # -- Job resources
- resources: {}
-
- # -- List of node taints to tolerate
- tolerations: []
-
- # -- Node labels for pod assignment
- nodeSelector: {}
-
- # -- Pod Annotations
- podAnnotations: {}
-
- # -- Pod labels
- podLabels: {}
-
- # -- Pod anti affinity constraints.
- podAntiAffinity: {}
-
- # -- Pod affinity constraints.
- podAffinity: {}
-
- # -- Node affinity constraints.
- nodeAffinity: {}
-
- clusterAdmissionReports:
-
- # -- Enable cleanup cronjob
- enabled: true
-
- # -- Maximum number of retries before considering a Job as failed. Defaults to 3.
- backoffLimit: 3
-
- image:
- # -- (string) Image registry
- registry: ~
- # -- Image repository
- repository: bitnami/kubectl
- # -- Image tag
- # Defaults to `latest` if omitted
- tag: '1.28.5'
- # -- (string) Image pull policy
- # Defaults to image.pullPolicy if omitted
- pullPolicy: ~
-
- # -- Image pull secrets
- imagePullSecrets: []
- # - name: secretName
-
- # -- Cronjob schedule
- schedule: '*/10 * * * *'
-
- # -- Reports threshold, if number of reports are above this value the cronjob will start deleting them
- threshold: 10000
-
- # -- Cronjob history
- history:
- success: 1
- failure: 1
-
- # -- Security context for the pod
- podSecurityContext: {}
-
- # -- Security context for the containers
- securityContext:
- runAsNonRoot: true
- privileged: false
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- capabilities:
- drop:
- - ALL
- seccompProfile:
- type: RuntimeDefault
-
- # -- Pod PriorityClassName
- priorityClassName: ""
-
- # -- Job resources
- resources: {}
-
- # -- List of node taints to tolerate
- tolerations: []
-
- # -- Node labels for pod assignment
- nodeSelector: {}
-
- # -- Pod Annotations
- podAnnotations: {}
-
- # -- Pod Labels
- podLabels: {}
-
- # -- Pod anti affinity constraints.
- podAntiAffinity: {}
-
- # -- Pod affinity constraints.
- podAffinity: {}
-
- # -- Node affinity constraints.
- nodeAffinity: {}
-
- updateRequests:
-
- # -- Enable cleanup cronjob
- enabled: false
-
- # -- Maximum number of retries before considering a Job as failed. Defaults to 3.
- backoffLimit: 3
-
- # -- Time until the pod from the cronjob is deleted
- ttlSecondsAfterFinished: ""
-
- image:
- # -- (string) Image registry
- registry: ~
- # -- Image repository
- repository: bitnami/kubectl
- # -- Image tag
- # Defaults to `latest` if omitted
- tag: '1.28.5'
- # -- (string) Image pull policy
- # Defaults to image.pullPolicy if omitted
- pullPolicy: ~
-
- # -- Image pull secrets
- imagePullSecrets: []
- # - name: secretName
-
- # -- Cronjob schedule
- schedule: '*/10 * * * *'
-
- # -- Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them
- threshold: 10000
-
- # -- Cronjob history
- history:
- success: 1
- failure: 1
-
- # -- Security context for the pod
- podSecurityContext: {}
-
- # -- Security context for the containers
- securityContext:
- runAsNonRoot: true
- privileged: false
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- capabilities:
- drop:
- - ALL
- seccompProfile:
- type: RuntimeDefault
-
- # -- Pod PriorityClassName
- priorityClassName: ""
-
- # -- Job resources
- resources: {}
-
- # -- List of node taints to tolerate
- tolerations: []
-
- # -- Node labels for pod assignment
- nodeSelector: {}
-
- # -- Pod Annotations
- podAnnotations: {}
-
- # -- Pod labels
- podLabels: {}
-
- # -- Pod anti affinity constraints.
- podAntiAffinity: {}
-
- # -- Pod affinity constraints.
- podAffinity: {}
-
- # -- Node affinity constraints.
- nodeAffinity: {}
-
- ephemeralReports:
-
- # -- Enable cleanup cronjob
- enabled: true
-
- # -- Maximum number of retries before considering a Job as failed. Defaults to 3.
- backoffLimit: 3
-
- # -- Time until the pod from the cronjob is deleted
- ttlSecondsAfterFinished: ""
-
- image:
- # -- (string) Image registry
- registry: ~
- # -- Image repository
- repository: bitnami/kubectl
- # -- Image tag
- # Defaults to `latest` if omitted
- tag: '1.28.5'
- # -- (string) Image pull policy
- # Defaults to image.pullPolicy if omitted
- pullPolicy: ~
-
- # -- Image pull secrets
- imagePullSecrets: []
- # - name: secretName
-
- # -- Cronjob schedule
- schedule: '*/10 * * * *'
-
- # -- Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them
- threshold: 10000
-
- # -- Cronjob history
- history:
- success: 1
- failure: 1
-
- # -- Security context for the pod
- podSecurityContext: {}
-
- # -- Security context for the containers
- securityContext:
- runAsNonRoot: true
- privileged: false
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- capabilities:
- drop:
- - ALL
- seccompProfile:
- type: RuntimeDefault
-
- # -- Pod PriorityClassName
- priorityClassName: ""
-
- # -- Job resources
- resources: {}
-
- # -- List of node taints to tolerate
- tolerations: []
-
- # -- Node labels for pod assignment
- nodeSelector: {}
-
- # -- Pod Annotations
- podAnnotations: {}
-
- # -- Pod labels
- podLabels: {}
-
- # -- Pod anti affinity constraints.
- podAntiAffinity: {}
-
- # -- Pod affinity constraints.
- podAffinity: {}
-
- # -- Node affinity constraints.
- nodeAffinity: {}
-
- clusterEphemeralReports:
-
- # -- Enable cleanup cronjob
- enabled: true
-
- # -- Maximum number of retries before considering a Job as failed. Defaults to 3.
- backoffLimit: 3
-
- # -- Time until the pod from the cronjob is deleted
- ttlSecondsAfterFinished: ""
-
- image:
- # -- (string) Image registry
- registry: ~
- # -- Image repository
- repository: bitnami/kubectl
- # -- Image tag
- # Defaults to `latest` if omitted
- tag: '1.28.5'
- # -- (string) Image pull policy
- # Defaults to image.pullPolicy if omitted
- pullPolicy: ~
-
- # -- Image pull secrets
- imagePullSecrets: []
- # - name: secretName
-
- # -- Cronjob schedule
- schedule: '*/10 * * * *'
-
- # -- Reports threshold, if number of reports are above this value the cronjob will start deleting them
- threshold: 10000
-
- # -- Cronjob history
- history:
- success: 1
- failure: 1
-
- # -- Security context for the pod
- podSecurityContext: {}
-
- # -- Security context for the containers
- securityContext:
- runAsNonRoot: true
- privileged: false
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- capabilities:
- drop:
- - ALL
- seccompProfile:
- type: RuntimeDefault
-
- # -- Pod PriorityClassName
- priorityClassName: ""
-
- # -- Job resources
- resources: {}
-
- # -- List of node taints to tolerate
- tolerations: []
-
- # -- Node labels for pod assignment
- nodeSelector: {}
-
- # -- Pod Annotations
- podAnnotations: {}
-
- # -- Pod Labels
- podLabels: {}
-
- # -- Pod anti affinity constraints.
- podAntiAffinity: {}
-
- # -- Pod affinity constraints.
- podAffinity: {}
-
- # -- Node affinity constraints.
- nodeAffinity: {}
-
# Admission controller configuration
admissionController:
# -- Overrides features defined at the root level
@@ -1104,8 +737,14 @@
rbac:
# -- Create RBAC resources
create: true
+ # -- Create rolebinding to view role
+ createViewRoleBinding: true
+
+ # -- The view role to use in the rolebinding
+ viewRoleName: view
+
serviceAccount:
# -- The ServiceAccount name
name:
@@ -1116,17 +755,9 @@
coreClusterRole:
# -- Extra resource permissions to add in the core cluster role.
# This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
# @default -- See [values.yaml](values.yaml)
- extraResources:
- - apiGroups:
- - '*'
- resources:
- - '*'
- verbs:
- - get
- - list
- - watch
+ extraResources: []
clusterRole:
# -- Extra resource permissions to add in the cluster role
extraResources: []
@@ -1148,16 +779,22 @@
# -- The number of revisions to keep
revisionHistoryLimit: 10
+ # -- Resync period for informers
+ resyncPeriod: 15m
+
# -- Additional labels to add to each pod
podLabels: {}
# example.com/label: foo
# -- Additional annotations to add to each pod
podAnnotations: {}
# example.com/annotation: foo
+ # -- Deployment annotations.
+ annotations: {}
+
# -- Deployment update strategy.
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
# @default -- See [values.yaml](values.yaml)
updateStrategy:
@@ -1515,8 +1152,14 @@
rbac:
# -- Create RBAC resources
create: true
+ # -- Create rolebinding to view role
+ createViewRoleBinding: true
+
+ # -- The view role to use in the rolebinding
+ viewRoleName: view
+
serviceAccount:
# -- Service account name
name:
@@ -1529,16 +1172,8 @@
# This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
# @default -- See [values.yaml](values.yaml)
extraResources:
- apiGroups:
- - '*'
- resources:
- - '*'
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
@@ -1561,9 +1196,8 @@
- apiGroups:
- ''
resources:
- configmaps
- - secrets
- resourcequotas
- limitranges
verbs:
- create
@@ -1604,16 +1238,22 @@
# -- The number of revisions to keep
revisionHistoryLimit: 10
+ # -- Resync period for informers
+ resyncPeriod: 15m
+
# -- Additional labels to add to each pod
podLabels: {}
# example.com/label: foo
# -- Additional annotations to add to each pod
podAnnotations: {}
# example.com/annotation: foo
+ # -- Deployment annotations.
+ annotations: {}
+
# -- Deployment update strategy.
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
# @default -- See [values.yaml](values.yaml)
updateStrategy:
@@ -1790,8 +1430,13 @@
collector: ''
# -- Otel collector credentials
creds: ''
+ # -- backgroundController server port
+ # in case you are using hostNetwork: true, you might want to change the port the backgroundController is listening to
+ server:
+ port: 9443
+
profiling:
# -- Enable profiling
enabled: false
# -- Profiling endpoint port
@@ -1859,16 +1504,22 @@
# -- The number of revisions to keep
revisionHistoryLimit: 10
+ # -- Resync period for informers
+ resyncPeriod: 15m
+
# -- Additional labels to add to each pod
podLabels: {}
# example.com/label: foo
# -- Additional annotations to add to each pod
podAnnotations: {}
# example.com/annotation: foo
+ # -- Deployment annotations.
+ annotations: {}
+
# -- Deployment update strategy.
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
# @default -- See [values.yaml](values.yaml)
updateStrategy:
@@ -2120,8 +1771,14 @@
rbac:
# -- Create RBAC resources
create: true
+ # -- Create rolebinding to view role
+ createViewRoleBinding: true
+
+ # -- The view role to use in the rolebinding
+ viewRoleName: view
+
serviceAccount:
# -- Service account name
name:
@@ -2132,17 +1789,9 @@
coreClusterRole:
# -- Extra resource permissions to add in the core cluster role.
# This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
# @default -- See [values.yaml](values.yaml)
- extraResources:
- - apiGroups:
- - '*'
- resources:
- - '*'
- verbs:
- - get
- - list
- - watch
+ extraResources: []
clusterRole:
# -- Extra resource permissions to add in the cluster role
extraResources: []
@@ -2171,16 +1820,22 @@
# -- The number of revisions to keep
revisionHistoryLimit: 10
+ # -- Resync period for informers
+ resyncPeriod: 15m
+
# -- Additional labels to add to each pod
podLabels: {}
# example.com/label: foo
# -- Additional annotations to add to each pod
podAnnotations: {}
# example.com/annotation: foo
+ # -- Deployment annotations.
+ annotations: {}
+
# -- Deployment update strategy.
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
# @default -- See [values.yaml](values.yaml)
updateStrategy:
@@ -2383,8 +2038,13 @@
collector: ~
# -- (string) Otel collector credentials
creds: ~
+ # -- reportsController server port
+ # in case you are using hostNetwork: true, you might want to change the port the reportsController is listening to
+ server:
+ port: 9443
+
profiling:
# -- Enable profiling
enabled: false
# -- Profiling endpoint port
diff -U 4 -r out-default-values/target/loki_loki_default-values.out out-default-values/pr/loki_loki_default-values.out
--- out-default-values/target/loki_loki_default-values.out 2024-11-22 16:45:03.032248576 +0000
+++ out-default-values/pr/loki_loki_default-values.out 2024-11-22 16:44:31.740423239 +0000
@@ -1,4 +1,10 @@
+# -- Overrides the version used to determine compatibility of resources with the target Kubernetes cluster.
+# This is useful when using `helm template`, because then helm will use the client version of kubectl as the Kubernetes version,
+# which may or may not match your cluster's server version. Example: 'v1.24.4'. Set to null to use the version that helm
+# devises.
+kubeVersionOverride: null
+
global:
image:
# -- Overrides the Docker registry globally for all images
registry: null
@@ -820,8 +826,10 @@
# hostnames:
# - domain.tld
# -- Additional CLI arguments for the `admin-api` target
extraArgs: {}
+ # -- Environment variables from secrets or configmaps to add to the admin-api pods
+ extraEnvFrom: []
# -- Additional labels for the `admin-api` Deployment
labels: {}
# -- Additional annotations for the `admin-api` Deployment
annotations: {}
@@ -1073,8 +1081,10 @@
serverSnippet: ""
# -- Allows appending custom configuration to the http block, passed through the `tpl` function to allow templating
httpSnippet: >-
{{ if .Values.loki.tenants }}proxy_set_header X-Scope-OrgID $remote_user;{{ end }}
+ # -- Allows customizing the `client_max_body_size` directive
+ clientMaxBodySize: 4M
# -- Whether ssl should be appended to the listen directive of the server block or not.
ssl: false
# -- Override Read URL
customReadUrl: null
@@ -1098,8 +1108,10 @@
# hostnames:
# - domain.tld
# -- Additional CLI arguments for the `gateway` target
extraArgs: {}
+ # -- Environment variables from secrets or configmaps to add to the enterprise gateway pods
+ extraEnvFrom: []
# -- Additional labels for the `gateway` Pod
labels: {}
# -- Additional annotations for the `gateway` Pod
annotations: {}
diff -U 4 -r out-default-values/target/tempo_tempo_default-values.out out-default-values/pr/tempo_tempo_default-values.out
--- out-default-values/target/tempo_tempo_default-values.out 2024-11-22 16:45:08.904236053 +0000
+++ out-default-values/pr/tempo_tempo_default-values.out 2024-11-22 16:44:37.632378696 +0000
@@ -1,4 +1,8 @@
+global:
+ # -- Common labels for all object directly managed by this chart.
+ commonLabels: {}
+
# -- Overrides the chart's name
nameOverride: ""
# -- Overrides the chart's computed fullname |
Changes Rendered Chartdiff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml 2024-11-22 16:45:00.112261453 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml 2024-11-22 16:44:28.800436622 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: clustercleanuppolicies.kyverno.io
spec:
group: kyverno.io
names:
@@ -157,8 +157,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -182,8 +193,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -193,8 +209,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET or POST).
+ Defaults to GET.
enum:
- GET
- POST
type: string
@@ -208,8 +225,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP headers
+ to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -253,8 +286,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -326,15 +361,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -349,422 +390,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
- required:
- - kind
- - name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- any:
- description: Any allows specifying resources which will be ORed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
+ not:
required:
- - kind
- name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- type: object
- match:
- description: |-
- MatchResources defines when cleanuppolicy should be applied. The match
- criteria can include resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the user name or role.
- At least one kind is required.
- properties:
- all:
- description: All allows specifying resources which will be ANDed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -824,13 +455,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -894,13 +527,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -966,813 +601,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
- required:
- - kind
- - name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- type: object
- schedule:
- description: The schedule in Cron format
- type: string
- required:
- - schedule
- type: object
- status:
- description: Status contains policy runtime data.
- properties:
- conditions:
- items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- lastExecutionTime:
- format: date-time
- type: string
- type: object
- required:
- - spec
- type: object
- served: true
- storage: false
- subresources:
- status: {}
- - additionalPrinterColumns:
- - jsonPath: .spec.schedule
- name: Schedule
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v2alpha1
- schema:
- openAPIV3Schema:
- description: ClusterCleanupPolicy defines rule for resource cleanup.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Spec declares policy behaviors.
- properties:
- conditions:
- description: Conditions defines the conditions used to select the
- resources which will be cleaned up.
- properties:
- all:
- description: |-
- AllConditions enable variable-based conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition can reference object data
- using JMESPath notation.
- Here, all of the conditions need to pass.
- items:
- properties:
- key:
- description: Key is the context entry (using JMESPath) for
- conditional rule evaluation.
- x-kubernetes-preserve-unknown-fields: true
- message:
- description: Message is an optional display message
- type: string
- operator:
- description: |-
- Operator is the conditional operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan
- enum:
- - Equals
- - NotEquals
- - AnyIn
- - AllIn
- - AnyNotIn
- - AllNotIn
- - GreaterThanOrEquals
- - GreaterThan
- - LessThanOrEquals
- - LessThan
- - DurationGreaterThanOrEquals
- - DurationGreaterThan
- - DurationLessThanOrEquals
- - DurationLessThan
- type: string
- value:
- description: |-
- Value is the conditional value, or set of values. The values can be fixed set
- or can be variables declared using JMESPath.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: array
- any:
- description: |-
- AnyConditions enable variable-based conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition can reference object data
- using JMESPath notation.
- Here, at least one of the conditions need to pass.
- items:
- properties:
- key:
- description: Key is the context entry (using JMESPath) for
- conditional rule evaluation.
- x-kubernetes-preserve-unknown-fields: true
- message:
- description: Message is an optional display message
- type: string
- operator:
- description: |-
- Operator is the conditional operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan
- enum:
- - Equals
- - NotEquals
- - AnyIn
- - AllIn
- - AnyNotIn
- - AllNotIn
- - GreaterThanOrEquals
- - GreaterThan
- - LessThanOrEquals
- - LessThan
- - DurationGreaterThanOrEquals
- - DurationGreaterThan
- - DurationLessThanOrEquals
- - DurationLessThan
- type: string
- value:
- description: |-
- Value is the conditional value, or set of values. The values can be fixed set
- or can be variables declared using JMESPath.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: array
- type: object
- context:
- description: Context defines variables and data sources that can be
- used during rule execution.
- items:
- description: |-
- ContextEntry adds variables and data sources to a rule Context. Either a
- ConfigMap reference or a APILookup must be provided.
- properties:
- apiCall:
- description: |-
- APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
- The data returned is stored in the context with the name for the context entry.
- properties:
- data:
- description: |-
- The data object specifies the POST data sent to the server.
- Only applicable when the method field is set to POST.
- items:
- description: RequestData contains the HTTP POST data
- properties:
- key:
- description: Key is a unique identifier for the data
- value
- type: string
- value:
- description: Value is the data value
- x-kubernetes-preserve-unknown-fields: true
- required:
- - key
- - value
- type: object
- type: array
- jmesPath:
- description: |-
- JMESPath is an optional JSON Match Expression that can be used to
- transform the JSON response returned from the server. For example
- a JMESPath of "items | length(@)" applied to the API server response
- for the URLPath "/apis/apps/v1/deployments" will return the total count
- of deployments across all namespaces.
- type: string
- method:
- default: GET
- description: Method is the HTTP request type (GET or POST).
- enum:
- - GET
- - POST
- type: string
- service:
- description: |-
- Service is an API call to a JSON web service.
- This is used for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath field.
- properties:
- caBundle:
- description: |-
- CABundle is a PEM encoded CA bundle which will be used to validate
- the server certificate.
- type: string
- url:
- description: |-
- URL is the JSON web service URL. A typical form is
- `https://{service}.{namespace}:{port}/{path}`.
- type: string
- required:
- - url
- type: object
- urlPath:
- description: |-
- URLPath is the URL path to be used in the HTTP GET or POST request to the
- Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the `kubectl get --raw` command.
- See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details.
- It's mutually exclusive with the Service field.
- type: string
- type: object
- configMap:
- description: ConfigMap is the ConfigMap reference.
- properties:
- name:
- description: Name is the ConfigMap name.
- type: string
- namespace:
- description: Namespace is the ConfigMap namespace.
- type: string
- required:
- - name
- type: object
- globalReference:
- description: GlobalContextEntryReference is a reference to a
- cached global context entry.
- properties:
- jmesPath:
- description: |-
- JMESPath is an optional JSON Match Expression that can be used to
- transform the JSON response returned from the server. For example
- a JMESPath of "items | length(@)" applied to the API server response
- for the URLPath "/apis/apps/v1/deployments" will return the total count
- of deployments across all namespaces.
- type: string
- name:
- description: Name of the global context entry
- type: string
- type: object
- imageRegistry:
- description: |-
- ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
- details.
- properties:
- imageRegistryCredentials:
- description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
- properties:
- allowInsecureRegistry:
- description: AllowInsecureRegistry allows insecure access
- to a registry.
- type: boolean
- providers:
- description: |-
- Providers specifies a list of OCI Registry names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.
- items:
- description: ImageRegistryCredentialsProvidersType
- provides the list of credential providers required.
- enum:
- - default
- - amazon
- - azure
- - google
- - github
- type: string
- type: array
- secrets:
- description: |-
- Secrets specifies a list of secrets that are provided for credentials.
- Secrets must live in the Kyverno namespace.
- items:
- type: string
- type: array
- type: object
- jmesPath:
- description: |-
- JMESPath is an optional JSON Match Expression that can be used to
- transform the ImageData struct returned as a result of processing
- the image reference.
- type: string
- reference:
- description: |-
- Reference is image reference to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest
- type: string
- required:
- - reference
- type: object
- name:
- description: Name is the variable name.
- type: string
- variable:
- description: Variable defines an arbitrary JMESPath context
- variable that can be defined inline.
- properties:
- default:
- description: |-
- Default is an optional arbitrary JSON object that the variable may take if the JMESPath
- expression evaluates to nil
- x-kubernetes-preserve-unknown-fields: true
- jmesPath:
- description: |-
- JMESPath is an optional JMESPath Expression that can be used to
- transform the variable.
- type: string
- value:
- description: Value is any arbitrary JSON object representable
- in YAML or JSON form.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- exclude:
- description: |-
- ExcludeResources defines when cleanuppolicy should not be applied. The exclude
- criteria can include resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the name or role.
- properties:
- all:
- description: All allows specifying resources which will be ANDed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
+ not:
required:
- - kind
- name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- any:
- description: Any allows specifying resources which will be ORed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1832,13 +666,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1902,13 +738,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1966,8 +804,12 @@
MatchResources defines when cleanuppolicy should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -1982,8 +824,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -2043,13 +889,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2113,13 +961,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2185,8 +1035,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -2246,13 +1100,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2316,13 +1172,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2378,25 +1236,18 @@
schedule:
description: The schedule in Cron format
type: string
required:
+ - match
- schedule
type: object
status:
description: Status contains policy runtime data.
properties:
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -2435,14 +1286,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -2459,10 +1305,10 @@
type: object
required:
- spec
type: object
- served: false
- storage: false
+ served: true
+ storage: true
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.schedule
@@ -2470,8 +1316,9 @@
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ deprecated: true
name: v2beta1
schema:
openAPIV3Schema:
description: ClusterCleanupPolicy defines rule for resource cleanup.
@@ -2595,8 +1442,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -2620,8 +1478,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -2631,8 +1494,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET or POST).
+ Defaults to GET.
enum:
- GET
- POST
type: string
@@ -2646,8 +1510,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP headers
+ to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -2691,8 +1571,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -2764,15 +1646,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -2787,8 +1675,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -2848,13 +1740,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2918,13 +1812,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2990,8 +1886,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -3051,13 +1951,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3121,13 +2023,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3185,8 +2089,12 @@
MatchResources defines when cleanuppolicy should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -3201,8 +2109,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -3262,13 +2174,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3332,13 +2246,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3404,8 +2320,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -3465,13 +2385,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3535,13 +2457,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3597,25 +2521,18 @@
schedule:
description: The schedule in Cron format
type: string
required:
+ - match
- schedule
type: object
status:
description: Status contains policy runtime data.
properties:
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -3654,14 +2571,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -3679,7 +2591,7 @@
required:
- spec
type: object
served: true
- storage: true
+ storage: false
subresources:
status: {} |
Changes Rendered Chartdiff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml 2024-11-22 16:45:00.112261453 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml 2024-11-22 16:44:28.800436622 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: clusterpolicies.kyverno.io
spec:
group: kyverno.io
names:
@@ -32,11 +32,8 @@
type: boolean
- jsonPath: .spec.background
name: BACKGROUND
type: boolean
- - jsonPath: .spec.validationFailureAction
- name: VALIDATE ACTION
- type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
@@ -113,31 +110,31 @@
Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
- failurePolicy:
+ emitWarning:
+ default: false
description: |-
- FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
- Rules within the same policy share the same failure behavior.
- This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
- Allowed values are Ignore or Fail. Defaults to Fail.
+ EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit.
+ Enabling this option will extend admission request processing times. The default value is "false".
+ type: boolean
+ failurePolicy:
+ description: Deprecated, use failurePolicy under the webhookConfiguration
+ instead.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: |-
- GenerateExisting controls whether to trigger generate rule in existing resources
- If is set to "true" generate rule will be triggered and applied to existing matched resources.
- Defaults to "false" if not specified.
+ description: Deprecated, use generateExisting under the generate rule
+ instead
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: |-
- MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
- Default value is "false".
+ description: Deprecated, use mutateExistingOnPolicyUpdate under the
+ mutate rule instead
type: boolean
rules:
description: |-
Rules is a list of Rule instances. A Policy contains multiple rules and
@@ -153,16 +150,15 @@
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
- by fulfilled for a request to be sent to a webhook.
+ be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -170,9 +166,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -183,9 +178,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -198,8 +192,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -224,8 +229,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -235,9 +245,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -251,8 +261,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP
+ headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -296,8 +322,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -370,15 +398,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -394,8 +428,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -456,13 +494,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -527,13 +567,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -600,8 +642,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -662,13 +708,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -733,13 +781,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -802,8 +852,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -863,13 +917,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -933,13 +989,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1051,13 +1109,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1073,8 +1133,453 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list of
+ sub-elements by creating a context for each entry in the
+ list and looping over it to apply the specified logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data sources
+ that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains the
+ HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference is
+ a reference to a cached global context entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials provides
+ credentials that will be used for authentication
+ with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry allows
+ insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary JMESPath
+ context variable that can be defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary JSON
+ object representable in YAML or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -1146,8 +1651,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -1163,8 +1672,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1225,13 +1738,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1296,13 +1811,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1369,8 +1886,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1431,13 +1952,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1502,13 +2025,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1571,8 +2096,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1632,13 +2161,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1702,13 +2233,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1778,8 +2311,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -1804,8 +2348,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -1815,9 +2364,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -1831,8 +2380,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -1878,8 +2446,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -1953,8 +2523,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach iterator
@@ -2090,8 +2662,12 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if the
+ mutateExisting rule will be applied on policy events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -2118,8 +2694,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -2144,8 +2731,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -2155,9 +2747,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -2171,8 +2763,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -2218,8 +2829,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -2293,8 +2906,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -2312,8 +2927,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -2331,8 +2994,14 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ reportProperties:
+ additionalProperties:
+ type: string
+ description: ReportProperties are the additional properties
+ from the rule that will be added to the policy report result
+ type: object
skipBackgroundRequests:
default: true
description: |-
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
@@ -2341,13 +3010,22 @@
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
+ allowExistingViolations:
+ default: true
+ description: AllowExistingViolations allows prexisting violating
+ resources to continue violating a policy.
+ type: boolean
anyPattern:
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -2364,21 +3042,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -2390,15 +3065,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -2416,9 +3089,9 @@
description: "Expression represents the expression
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents of the
API request/response, organized into CEL variables
- as well as some other useful variables:\n\n\n-
+ as well as some other useful variables:\n\n-
'object' - The object from the incoming request.
The value is null for DELETE requests.\n- 'oldObject'
- The existing object. The value is null for
CREATE requests.\n- 'request' - Attributes of
@@ -2436,12 +3109,12 @@
checks for the principal (user or service account)
of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names are
escaped according to the following rules when
accessed in the expression:\n- '__' escapes
@@ -2459,9 +3132,9 @@
\ - Expression accessing a property named \"x-prop\":
{\"Expression\": \"object.x__dash__prop > 0\"}\n
\ - Expression accessing a property named \"redact__d\":
{\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list type
+ > 0\"}\n\nEquality on arrays with list type
of 'set' or 'map' ignores element order, i.e.
[1, 2] == [2, 1].\nConcatenation on arrays with
x-kubernetes-list-type use the semantics of
the list type:\n - 'set': `X + Y` performs
@@ -2533,29 +3206,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -2568,22 +3241,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -2612,13 +3283,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2636,9 +3309,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is defined
+ as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -2653,8 +3327,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -2667,8 +3342,89 @@
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the policy
+ validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
list and looping over it to apply the specified logic.
@@ -2689,8 +3445,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -2715,8 +3482,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -2726,9 +3498,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -2742,8 +3514,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -2789,8 +3580,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -2864,8 +3657,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -3071,8 +3866,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -3121,13 +3922,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -3157,8 +3969,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used
+ for keyless signing, for example the
+ email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -3177,8 +3995,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -3234,18 +4058,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -3472,8 +4301,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -3522,13 +4357,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -3558,8 +4404,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -3578,8 +4430,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -3636,19 +4494,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -3763,8 +4625,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type', to
be removed soon
type: string
@@ -3832,8 +4697,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -3881,13 +4752,24 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -3916,8 +4798,14 @@
description: Subject is the verified identity
used for keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used for
+ keyless signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one or more public
keys.
@@ -3936,8 +4824,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -3992,22 +4886,38 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values are
- sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm for
+ public keys. Supported values are sha224,
+ sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
@@ -4091,26 +5001,50 @@
type: string
type:
description: |-
Type specifies the method of signature validation. The allowed options
- are Cosign and Notary. By default Cosign is used if a type is not specified.
+ are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message to
+ be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have a
digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
schemaValidation:
@@ -4123,23 +5057,19 @@
Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: |-
- ValidationFailureAction defines if a validation policy rule violation should block
- the admission review request (enforce), or allow (audit) the admission review request
- and report an error in a policy report. Optional.
- Allowed values are audit or enforce. The default value is "Audit".
+ description: Deprecated, use validationFailureAction under the validate
+ rule instead.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
- description: |-
- ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
- namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+ description: Deprecated, use validationFailureActionOverrides under
+ the validate rule instead.
items:
properties:
action:
description: ValidationFailureAction defines the policy validation
@@ -4181,13 +5111,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4203,14 +5135,25 @@
type: array
type: object
type: array
webhookConfiguration:
- description: |-
- WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
- Requires Kubernetes 1.27 or later.
+ description: WebhookConfiguration specifies the custom configuration
+ for Kubernetes admission webhookconfiguration.
properties:
+ failurePolicy:
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
+ Allowed values are Ignore or Fail. Defaults to Fail.
+ enum:
+ - Ignore
+ - Fail
+ type: string
matchConditions:
- description: MatchCondition configures admission webhook matchConditions.
+ description: |-
+ MatchCondition configures admission webhook matchConditions.
+ Requires Kubernetes 1.27 or later.
items:
description: MatchCondition repres```
</details> |
Changes Rendered Chartents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
@@ -4218,9 +5161,8 @@
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -4228,9 +5170,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -4241,22 +5182,26 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
- name
type: object
type: array
+ timeoutSeconds:
+ description: |-
+ TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ format: int32
+ type: integer
type: object
webhookTimeoutSeconds:
- description: |-
- WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
- After the configured time expires, the admission request may fail, or may simply ignore the policy results,
- based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
+ instead.
format: int32
type: integer
type: object
status:
@@ -4279,16 +5224,15 @@
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
- must by fulfilled for a request to be sent to a webhook.
+ must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -4296,9 +5240,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -4309,9 +5252,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -4324,8 +5266,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -4350,8 +5303,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -4361,9 +5319,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -4377,8 +5335,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -4422,8 +5396,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -4497,15 +5473,21 @@
description: Value is any arbitrary JSON object
representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -4521,8 +5503,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -4583,13 +5569,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4655,13 +5643,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4728,8 +5718,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -4790,13 +5784,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4862,13 +5858,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4931,8 +5929,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -4993,13 +5995,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5064,13 +6068,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5185,13 +6191,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5207,8 +6215,461 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list
+ of sub-elements by creating a context for each entry
+ in the list and looping over it to apply the specified
+ logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data
+ sources that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains
+ the HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data
+ value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap
+ reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference
+ is a reference to a cached global context
+ entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials
+ provides credentials that will be
+ used for authentication with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry
+ allows insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary
+ JMESPath context variable that can be
+ defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary
+ JSON object representable in YAML
+ or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -5280,8 +6741,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -5297,8 +6762,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -5359,13 +6828,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5431,13 +6902,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5504,8 +6977,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -5566,13 +7043,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5638,13 +7117,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5707,8 +7188,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -5769,13 +7254,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5840,13 +7327,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5917,8 +7406,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -5944,8 +7444,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -5955,9 +7460,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -5971,8 +7476,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -6020,8 +7544,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -6097,8 +7623,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach
@@ -6237,8 +7765,13 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if
+ the mutateExisting rule will be applied on policy
+ events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -6265,8 +7798,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -6292,8 +7836,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -6303,9 +7852,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -6319,8 +7868,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -6368,8 +7936,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -6445,8 +8015,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -6464,8 +8036,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -6483,8 +8103,15 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ reportProperties:
+ additionalProperties:
+ type: string
+ description: ReportProperties are the additional properties
+ from the rule that will be added to the policy report
+ result
+ type: object
skipBackgroundRequests:
default: true
description: |-
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
@@ -6493,13 +8120,23 @@
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
+ allowExistingViolations:
+ default: true
+ description: AllowExistingViolations allows prexisting
+ violating resources to continue violating a policy.
+ type: boolean
anyPattern:
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion
+ tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -6516,21 +8153,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -6542,15 +8176,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -6569,14 +8201,14 @@
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables:\n\n\n- 'object' - The object
- from the incoming request. The value is
- null for DELETE requests.\n- 'oldObject'
- - The existing object. The value is null
- for CREATE requests.\n- 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ variables:\n\n- 'object' - The object from
+ the incoming request. The value is null
+ for DELETE requests.\n- 'oldObject' - The
+ existing object. The value is null for CREATE
+ requests.\n- 'request' - Attributes of the
+ API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
'params' - Parameter resource referred to
by the policy binding being evaluated. Only
populated if the policy has a ParamKind.\n-
'namespaceObject' - The namespace object
@@ -6591,12 +8223,12 @@
or service account) of the request.\n See
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names
are escaped according to the following rules
when accessed in the expression:\n- '__'
@@ -6615,10 +8247,10 @@
> 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
> 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list
- type of 'set' or 'map' ignores element order,
+ > 0\"}\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order,
i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
semantics of the list type:\n - 'set':
`X + Y` performs a union where the array
@@ -6690,29 +8322,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -6725,22 +8357,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -6769,13 +8399,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -6793,9 +8425,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is
+ defined as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -6810,8 +8443,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or
@@ -6824,8 +8458,89 @@
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the
+ policy validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
in the list and looping over it to apply the specified
@@ -6847,8 +8562,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -6874,8 +8600,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -6885,9 +8616,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -6901,8 +8632,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -6950,8 +8700,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -7027,8 +8779,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -7238,8 +8992,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -7288,13 +9048,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -7324,8 +9095,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -7344,8 +9121,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -7402,19 +9185,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -7642,8 +9429,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -7694,13 +9487,25 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is
+ the regular expression to
+ match certificate issuer used
+ for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -7732,8 +9537,15 @@
verified identity used for
keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is
+ the regular expression to
+ match identity used for keyless
+ signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one
or more public keys.
@@ -7753,8 +9565,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -7813,19 +9631,25 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature
- algorithm for public keys.
- Supported values are sha224,
- sha256, sha384 and sha512.
+ description: Deprecated. Use
+ attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and
+ sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -7940,8 +9764,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type',
to be removed soon
type: string
@@ -8009,8 +9836,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -8059,13 +9892,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -8095,8 +9939,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for example
+ the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -8115,8 +9965,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -8173,22 +10029,38 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public ke```
</details> |
Changes Rendered Chartys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
@@ -8273,42 +10145,58 @@
type: string
type:
description: |-
Type specifies the method of signature validation. The allowed options
- are Cosign and Notary. By default Cosign is used if a type is not specified.
+ are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message
+ to be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have
a digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
type: object
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -8347,14 +10235,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -8406,10 +10289,8 @@
required:
- generated
- message
type: object
- required:
- - ready
type: object
required:
- spec
type: object
@@ -8423,11 +10304,8 @@
type: boolean
- jsonPath: .spec.background
name: BACKGROUND
type: boolean
- - jsonPath: .spec.validationFailureAction
- name: VALIDATE ACTION
- type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
@@ -8504,30 +10382,31 @@
Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
- failurePolicy:
+ emitWarning:
+ default: false
description: |-
- FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
- Rules within the same policy share the same failure behavior.
- Allowed values are Ignore or Fail. Defaults to Fail.
+ EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit.
+ Enabling this option will extend admission request processing times. The default value is "false".
+ type: boolean
+ failurePolicy:
+ description: Deprecated, use failurePolicy under the webhookConfiguration
+ instead.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: |-
- GenerateExisting controls whether to trigger generate rule in existing resources
- If is set to "true" generate rule will be triggered and applied to existing matched resources.
- Defaults to "false" if not specified.
+ description: Deprecated, use generateExisting under the generate rule
+ instead
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: |-
- MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
- Default value is "false".
+ description: Deprecated, use mutateExistingOnPolicyUpdate under the
+ mutate rule instead
type: boolean
rules:
description: |-
Rules is a list of Rule instances. A Policy contains multiple rules and
@@ -8550,9 +10429,8 @@
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -8560,9 +10438,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -8573,9 +10450,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -8588,8 +10464,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -8614,8 +10501,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -8625,9 +10517,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -8641,8 +10533,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP
+ headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -8686,8 +10594,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -8760,15 +10670,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -8784,8 +10700,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -8846,13 +10766,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -8917,13 +10839,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -8990,8 +10914,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -9052,13 +10980,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9123,13 +11053,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9243,13 +11175,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9265,8 +11199,453 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list of
+ sub-elements by creating a context for each entry in the
+ list and looping over it to apply the specified logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data sources
+ that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains the
+ HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference is
+ a reference to a cached global context entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials provides
+ credentials that will be used for authentication
+ with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry allows
+ insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary JMESPath
+ context variable that can be defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary JSON
+ object representable in YAML or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -9338,8 +11717,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -9355,8 +11738,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -9417,13 +11804,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9488,13 +11877,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9561,8 +11952,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -9623,13 +12018,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9694,13 +12091,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9772,8 +12171,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -9798,8 +12208,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -9809,9 +12224,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -9825,8 +12240,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -9872,8 +12306,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -9947,8 +12383,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach iterator
@@ -10084,8 +12522,12 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if the
+ mutateExisting rule will be applied on policy events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -10112,8 +12554,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -10138,8 +12591,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -10149,9 +12607,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -10165,8 +12623,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -10212,8 +12689,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -10287,8 +12766,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -10306,8 +12787,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -10427,8 +12956,12 @@
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -10445,21 +12978,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -10471,15 +13001,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -10497,9 +13025,9 @@
description: "Expression represents the expression
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents of the
API request/response, organized into CEL variables
- as well as some other useful variables:\n\n\n-
+ as well as some other useful variables:\n\n-
'object' - The object from the incoming request.
The value is null for DELETE requests.\n- 'oldObject'
- The existing object. The value is null for
CREATE requests.\n- 'request' - Attributes of
@@ -10517,12 +13045,12 @@
checks for the principal (user or service account)
of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names are
escaped according to the following rules when
accessed in the expression:\n- '__' escapes
@@ -10540,9 +13068,9 @@
\ - Expression accessing a property named \"x-prop\":
{\"Expression\": \"object.x__dash__prop > 0\"}\n
\ - Expression accessing a property named \"redact__d\":
{\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list type
+ > 0\"}\n\nEquality on arrays with list type
of 'set' or 'map' ignores element order, i.e.
[1, 2] == [2, 1].\nConcatenation on arrays with
x-kubernetes-list-type use the semantics of
the list type:\n - 'set': `X + Y` performs
@@ -10614,29 +13142,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -10649,22 +13177,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -10693,13 +13219,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -10717,9 +13245,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is defined
+ as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -10734,8 +13263,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -10837,8 +13367,89 @@
type: object
type: array
type: object
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the policy
+ validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
list and looping over it to apply the specified logic.
@@ -10859,8 +13470,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -10885,8 +13507,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -10896,9 +13523,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -10912,8 +13539,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -10959,8 +13605,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -11034,8 +13682,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -11241,8 +13891,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -11291,13 +13947,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -11327,8 +13994,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used
+ for keyless signing, for example the
+ email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -11347,8 +14020,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -11404,18 +14083,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -11631,8 +14315,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -11681,13 +14371,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -11717,8 +14418,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -11737,8 +14444,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -11795,19 +14508,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -11922,8 +14639,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type', to
be removed soon
type: string
@@ -11991,8 +14711,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -12040,13 +14766,24 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -12075,8 +14812,14 @@
description: Subject is the verified identity
used for keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used for
+ keyless signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one or more public
keys.
@@ -12095,8 +14838,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -12151,22 +14900,33 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values are
- sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm for
+ public keys. Supported values are sha224,
+ sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
imageReferences:
description: |-
ImageReferences is a list of matching image reference patterns. At least one pattern in the
list must match the image for the rule to apply. Each image reference consists of a registry
@@ -12238,23 +14998,47 @@
Type specifies the method of signature validation. The allowed options
are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message to
+ be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have a
digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
schemaValidation:
@@ -12267,23 +15051,19 @@
Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: |-
- ValidationFailureAction defines if a validation policy rule violation should block
- the admission review request (enforce), or allow (audit) the admission review request
- and report an error in a policy report. Optional.
- Allowed values are audit or enforce. The default value is "Audit".
+ description: Deprecated, use validationFailureAction under the validate
+ rule instead.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
- description: |-
- ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
- namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+ description: Deprecated, use validationFailureActionOverrides under
+ the validate rule instead.
items:
properties:
action:
description: ValidationFailureAction defines the policy validation
@@ -12325,13 +15105,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -12347,14 +15129,25 @@
type: array
type: object
type: array
webhookConfiguration:
- description: |-
- WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
- Requires Kubernetes 1.27 or later.
+ description: WebhookConfiguration specifies the custom configuration
+ for Kubernetes admission webhookconfiguration.
properties:
+ failurePolicy:
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
+ Allowed values are Ignore or Fail. Defaults to Fail.
+ enum:
+ - Ignore
+ - Fail
+ type: string
matchConditions:
- description: MatchCondition configures admission webhook matchConditions.
+ description: |-
+ MatchCondition configures admission webhook matchConditions.
+ Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
@@ -12362,9 +15155,8 @@
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -12372,9 +15164,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
des```
</details> |
Changes Rendered Chartcription: |-
@@ -12385,22 +15176,26 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
- name
type: object
type: array
+ timeoutSeconds:
+ description: |-
+ TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ format: int32
+ type: integer
type: object
webhookTimeoutSeconds:
- description: |-
- WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
- After the configured time expires, the admission request may fail, or may simply ignore the policy results,
- based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
+ instead.
format: int32
type: integer
type: object
status:
@@ -12423,16 +15218,15 @@
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
- must by fulfilled for a request to be sent to a webhook.
+ must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -12440,9 +15234,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -12453,9 +15246,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -12468,8 +15260,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -12494,8 +15297,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -12505,9 +15313,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -12521,8 +15329,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -12566,8 +15390,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -12641,15 +15467,21 @@
description: Value is any arbitrary JSON object
representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -12665,8 +15497,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -12727,13 +15563,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -12799,13 +15637,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -12872,8 +15712,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -12934,13 +15778,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13006,13 +15852,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13075,8 +15923,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13137,13 +15989,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13208,13 +16062,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13329,13 +16185,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13351,8 +16209,461 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list
+ of sub-elements by creating a context for each entry
+ in the list and looping over it to apply the specified
+ logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data
+ sources that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains
+ the HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data
+ value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap
+ reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference
+ is a reference to a cached global context
+ entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials
+ provides credentials that will be
+ used for authentication with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry
+ allows insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary
+ JMESPath context variable that can be
+ defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary
+ JSON object representable in YAML
+ or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -13424,8 +16735,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -13441,8 +16756,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13503,13 +16822,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13575,13 +16896,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13648,8 +16971,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13710,13 +17037,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13782,13 +17111,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13851,8 +17182,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13913,13 +17248,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13984,13 +17321,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -14061,8 +17400,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -14088,8 +17438,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -14099,9 +17454,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -14115,8 +17470,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -14164,8 +17538,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -14241,8 +17617,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach
@@ -14381,8 +17759,13 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if
+ the mutateExisting rule will be applied on policy
+ events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -14409,8 +17792,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -14436,8 +17830,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -14447,9 +17846,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -14463,8 +17862,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -14512,8 +17930,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -14589,8 +18009,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -14608,8 +18030,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -14627,8 +18097,15 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ reportProperties:
+ additionalProperties:
+ type: string
+ description: ReportProperties are the additional properties
+ from the rule that will be added to the policy report
+ result
+ type: object
skipBackgroundRequests:
default: true
description: |-
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
@@ -14637,13 +18114,23 @@
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
+ allowExistingViolations:
+ default: true
+ description: AllowExistingViolations allows prexisting
+ violating resources to continue violating a policy.
+ type: boolean
anyPattern:
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion
+ tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -14660,21 +18147,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -14686,15 +18170,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -14713,14 +18195,14 @@
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables:\n\n\n- 'object' - The object
- from the incoming request. The value is
- null for DELETE requests.\n- 'oldObject'
- - The existing object. The value is null
- for CREATE requests.\n- 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ variables:\n\n- 'object' - The object from
+ the incoming request. The value is null
+ for DELETE requests.\n- 'oldObject' - The
+ existing object. The value is null for CREATE
+ requests.\n- 'request' - Attributes of the
+ API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
'params' - Parameter resource referred to
by the policy binding being evaluated. Only
populated if the policy has a ParamKind.\n-
'namespaceObject' - The namespace object
@@ -14735,12 +18217,12 @@
or service account) of the request.\n See
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names
are escaped according to the following rules
when accessed in the expression:\n- '__'
@@ -14759,10 +18241,10 @@
> 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
> 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list
- type of 'set' or 'map' ignores element order,
+ > 0\"}\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order,
i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
semantics of the list type:\n - 'set':
`X + Y` performs a union where the array
@@ -14834,29 +18316,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -14869,22 +18351,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -14913,13 +18393,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -14937,9 +18419,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is
+ defined as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -14954,8 +18437,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or
@@ -14968,8 +18452,89 @@
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the
+ policy validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
in the list and looping over it to apply the specified
@@ -14991,8 +18556,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -15018,8 +18594,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -15029,9 +18610,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -15045,8 +18626,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -15094,8 +18694,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -15171,8 +18773,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -15382,8 +18986,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -15432,13 +19042,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -15468,8 +19089,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -15488,8 +19115,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -15546,19 +19179,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -15786,8 +19423,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -15838,13 +19481,25 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is
+ the regular expression to
+ match certificate issuer used
+ for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -15876,8 +19531,15 @@
verified identity used for
keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is
+ the regular expression to
+ match identity used for keyless
+ signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one
or more public keys.
@@ -15897,8 +19559,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -15957,19 +19625,25 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature
- algorithm for public keys.
- Supported values are sha224,
- sha256, sha384 and sha512.
+ description: Deprecated. Use
+ attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and
+ sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -16084,8 +19758,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type',
to be removed soon
type: string
@@ -16153,8 +19830,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -16203,13 +19886,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -16239,8 +19933,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for example
+ the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -16259,8 +19959,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -16317,22 +20023,38 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
@@ -16417,42 +20139,58 @@
type: string
```
</details> |
Changes Rendered Chart type:
description: |-
Type specifies the method of signature validation. The allowed options
- are Cosign and Notary. By default Cosign is used if a type is not specified.
+ are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message
+ to be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have
a digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
type: object
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -16491,14 +20229,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -16550,10 +20283,8 @@
required:
- generated
- message
type: object
- required:
- - ready
type: object
required:
- spec
type: object |
Changes Rendered Chartdiff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml 2024-11-22 16:45:00.112261453 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml 2024-11-22 16:44:28.800436622 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: globalcontextentries.kyverno.io
spec:
group: kyverno.io
names:
@@ -62,8 +62,13 @@
metadata:
type: object
spec:
description: Spec declares policy exception behaviors.
+ oneOf:
+ - required:
+ - kubernetesResource
+ - required:
+ - apiCall
properties:
apiCall:
description: |-
Stores results from an API call which will be cached.
@@ -92,9 +97,10 @@
type: object
type: array
method:
default: GET
- description: Method is the HTTP request type (GET or POST).
+ description: Method is the HTTP request type (GET or POST). Defaults
+ to GET.
enum:
- GET
- POST
type: string
@@ -105,8 +111,14 @@
The duration is a sequence of decimal numbers, each with optional fraction and a unit suffix,
such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
format: duration
type: string
+ retryLimit:
+ default: 3
+ description: RetryLimit defines the number of times the APICall
+ should be retried in case of failure.
+ minimum: 1
+ type: integer
service:
description: |-
Service is an API call to a JSON web service.
This is used for non-Kubernetes API server calls.
@@ -116,8 +128,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP headers to
+ be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -155,25 +183,20 @@
type: string
version:
description: Version defines the version of the resource.
type: string
+ required:
+ - resource
+ - version
type: object
type: object
status:
description: Status contains globalcontextentry runtime data.
properties:
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -212,14 +235,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -237,10 +255,8 @@
type: string
ready:
description: Deprecated in favor of Conditions
type: boolean
- required:
- - ready
type: object
required:
- spec
type: object |
Changes Rendered Chartdiff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml 2024-11-22 16:45:00.112261453 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml 2024-11-22 16:44:28.800436622 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: policies.kyverno.io
spec:
group: kyverno.io
names:
@@ -32,11 +32,8 @@
type: boolean
- jsonPath: .spec.background
name: BACKGROUND
type: boolean
- - jsonPath: .spec.validationFailureAction
- name: VALIDATE ACTION
- type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
@@ -114,31 +111,31 @@
Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
- failurePolicy:
+ emitWarning:
+ default: false
description: |-
- FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
- Rules within the same policy share the same failure behavior.
- This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
- Allowed values are Ignore or Fail. Defaults to Fail.
+ EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit.
+ Enabling this option will extend admission request processing times. The default value is "false".
+ type: boolean
+ failurePolicy:
+ description: Deprecated, use failurePolicy under the webhookConfiguration
+ instead.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: |-
- GenerateExisting controls whether to trigger generate rule in existing resources
- If is set to "true" generate rule will be triggered and applied to existing matched resources.
- Defaults to "false" if not specified.
+ description: Deprecated, use generateExisting under the generate rule
+ instead
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: |-
- MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
- Default value is "false".
+ description: Deprecated, use mutateExistingOnPolicyUpdate under the
+ mutate rule instead
type: boolean
rules:
description: |-
Rules is a list of Rule instances. A Policy contains multiple rules and
@@ -154,16 +151,15 @@
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
- by fulfilled for a request to be sent to a webhook.
+ be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -171,9 +167,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -184,9 +179,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -199,8 +193,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -225,8 +230,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -236,9 +246,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -252,8 +262,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP
+ headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -297,8 +323,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -371,15 +399,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -395,8 +429,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -457,13 +495,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -528,13 +568,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -601,8 +643,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -663,13 +709,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -734,13 +782,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -803,8 +853,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -864,13 +918,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -934,13 +990,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1052,13 +1110,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1074,8 +1134,453 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list of
+ sub-elements by creating a context for each entry in the
+ list and looping over it to apply the specified logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data sources
+ that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains the
+ HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference is
+ a reference to a cached global context entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials provides
+ credentials that will be used for authentication
+ with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry allows
+ insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary JMESPath
+ context variable that can be defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary JSON
+ object representable in YAML or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -1147,8 +1652,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -1164,8 +1673,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1226,13 +1739,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1297,13 +1812,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1370,8 +1887,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1432,13 +1953,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1503,13 +2026,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1572,8 +2097,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1633,13 +2162,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1703,13 +2234,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1779,8 +2312,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -1805,8 +2349,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -1816,9 +2365,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -1832,8 +2381,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -1879,8 +2447,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -1954,8 +2524,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach iterator
@@ -2091,8 +2663,12 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if the
+ mutateExisting rule will be applied on policy events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -2119,8 +2695,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -2145,8 +2732,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -2156,9 +2748,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -2172,8 +2764,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -2219,8 +2830,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -2294,8 +2907,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -2313,8 +2928,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -2332,8 +2995,14 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ reportProperties:
+ additionalProperties:
+ type: string
+ description: ReportProperties are the additional properties
+ from the rule that will be added to the policy report result
+ type: object
skipBackgroundRequests:
default: true
description: |-
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
@@ -2342,13 +3011,22 @@
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
+ allowExistingViolations:
+ default: true
+ description: AllowExistingViolations allows prexisting violating
+ resources to continue violating a policy.
+ type: boolean
anyPattern:
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -2365,21 +3043,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -2391,15 +3066,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -2417,9 +3090,9 @@
description: "Expression represents the expression
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents of the
API request/response, organized into CEL variables
- as well as some other useful variables:\n\n\n-
+ as well as some other useful variables:\n\n-
'object' - The object from the incoming request.
The value is null for DELETE requests.\n- 'oldObject'
- The existing object. The value is null for
CREATE requests.\n- 'request' - Attributes of
@@ -2437,12 +3110,12 @@
checks for the principal (user or service account)
of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names are
escaped according to the following rules when
accessed in the expression:\n- '__' escapes
@@ -2460,9 +3133,9 @@
\ - Expression accessing a property named \"x-prop\":
{\"Expression\": \"object.x__dash__prop > 0\"}\n
\ - Expression accessing a property named \"redact__d\":
{\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list type
+ > 0\"}\n\nEquality on arrays with list type
of 'set' or 'map' ignores element order, i.e.
[1, 2] == [2, 1].\nConcatenation on arrays with
x-kubernetes-list-type use the semantics of
the list type:\n - 'set': `X + Y` performs
@@ -2534,29 +3207,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -2569,22 +3242,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -2613,13 +3284,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2637,9 +3310,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is defined
+ as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -2654,8 +3328,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -2668,8 +3343,89 @@
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the policy
+ validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
list and looping over it to apply the specified logic.
@@ -2690,8 +3446,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -2716,8 +3483,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -2727,9 +3499,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -2743,8 +3515,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -2790,8 +3581,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -2865,8 +3658,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -3072,8 +3867,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -3122,13 +3923,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -3158,8 +3970,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used
+ for keyless signing, for example the
+ email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -3178,8 +3996,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -3235,18 +4059,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -3473,8 +4302,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -3523,13 +4358,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -3559,8 +4405,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -3579,8 +4431,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -3637,19 +4495,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -3764,8 +4626,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type', to
be removed soon
type: string
@@ -3833,8 +4698,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -3882,13 +4753,24 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -3917,8 +4799,14 @@
description: Subject is the verified identity
used for keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used for
+ keyless signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one or more public
keys.
@@ -3937,8 +4825,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -3993,22 +4887,38 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values are
- sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm for
+ public keys. Supported values are sha224,
+ sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
@@ -4092,26 +5002,50 @@
type: string
type:
description: |-
Type specifies the method of signature validation. The allowed options
- are Cosign and Notary. By default Cosign is used if a type is not specified.
+ are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message to
+ be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have a
digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
schemaValidation:
@@ -4124,23 +5058,19 @@
Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: |-
- ValidationFailureAction defines if a validation policy rule violation should block
- the admission review request (enforce), or allow (audit) the admission review request
- and report an error in a policy report. Optional.
- Allowed values are audit or enforce. The default value is "Audit".
+ description: Deprecated, use validationFailureAction under the validate
+ rule instead.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
- description: |-
- ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
- namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+ description: Deprecated, use validationFailureActionOverrides under
+ the validate rule instead.
items:
properties:
action:
description: ValidationFailureAction defines the policy validation
@@ -4182,13 +5112,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4204,14 +5136,25 @@
type: array
type: object
type: array
webhookConfiguration:
- description: |-
- WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
- Requires Kubernetes 1.27 or later.
+ description: WebhookConfiguration specifies the custom configuration
+ for Kubernetes admission webhookconfiguration.
properties:
+ failurePolicy:
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
+ Allowed values are Ignore or Fail. Defaults to Fail.
+ enum:
+ - Ignore
+ - Fail
+ type: string
matchConditions:
- description: MatchCondition configures admission webhook matchConditions.
+ description: |-
+ MatchCondition configures admission webhook matchConditions.
+ Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
```
</details> |
Changes Rendered Chart by fulfilled for a request to be sent to a webhook.
properties:
@@ -4219,9 +5162,8 @@
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -4229,9 +5171,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -4242,22 +5183,26 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
- name
type: object
type: array
+ timeoutSeconds:
+ description: |-
+ TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ format: int32
+ type: integer
type: object
webhookTimeoutSeconds:
- description: |-
- WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
- After the configured time expires, the admission request may fail, or may simply ignore the policy results,
- based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
+ instead.
format: int32
type: integer
type: object
status:
@@ -4281,16 +5226,15 @@
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
- must by fulfilled for a request to be sent to a webhook.
+ must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -4298,9 +5242,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -4311,9 +5254,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -4326,8 +5268,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -4352,8 +5305,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -4363,9 +5321,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -4379,8 +5337,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -4424,8 +5398,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -4499,15 +5475,21 @@
description: Value is any arbitrary JSON object
representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -4523,8 +5505,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -4585,13 +5571,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4657,13 +5645,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4730,8 +5720,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -4792,13 +5786,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4864,13 +5860,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4933,8 +5931,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -4995,13 +5997,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5066,13 +6070,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5187,13 +6193,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5209,8 +6217,461 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list
+ of sub-elements by creating a context for each entry
+ in the list and looping over it to apply the specified
+ logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data
+ sources that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains
+ the HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data
+ value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap
+ reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference
+ is a reference to a cached global context
+ entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials
+ provides credentials that will be
+ used for authentication with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry
+ allows insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary
+ JMESPath context variable that can be
+ defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary
+ JSON object representable in YAML
+ or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -5282,8 +6743,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -5299,8 +6764,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -5361,13 +6830,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5433,13 +6904,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5506,8 +6979,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -5568,13 +7045,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5640,13 +7119,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5709,8 +7190,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -5771,13 +7256,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5842,13 +7329,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5919,8 +7408,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -5946,8 +7446,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -5957,9 +7462,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -5973,8 +7478,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -6022,8 +7546,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -6099,8 +7625,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach
@@ -6239,8 +7767,13 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if
+ the mutateExisting rule will be applied on policy
+ events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -6267,8 +7800,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -6294,8 +7838,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -6305,9 +7854,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -6321,8 +7870,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -6370,8 +7938,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -6447,8 +8017,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -6466,8 +8038,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -6485,8 +8105,15 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ reportProperties:
+ additionalProperties:
+ type: string
+ description: ReportProperties are the additional properties
+ from the rule that will be added to the policy report
+ result
+ type: object
skipBackgroundRequests:
default: true
description: |-
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
@@ -6495,13 +8122,23 @@
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
+ allowExistingViolations:
+ default: true
+ description: AllowExistingViolations allows prexisting
+ violating resources to continue violating a policy.
+ type: boolean
anyPattern:
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion
+ tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -6518,21 +8155,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -6544,15 +8178,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -6571,14 +8203,14 @@
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables:\n\n\n- 'object' - The object
- from the incoming request. The value is
- null for DELETE requests.\n- 'oldObject'
- - The existing object. The value is null
- for CREATE requests.\n- 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ variables:\n\n- 'object' - The object from
+ the incoming request. The value is null
+ for DELETE requests.\n- 'oldObject' - The
+ existing object. The value is null for CREATE
+ requests.\n- 'request' - Attributes of the
+ API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
'params' - Parameter resource referred to
by the policy binding being evaluated. Only
populated if the policy has a ParamKind.\n-
'namespaceObject' - The namespace object
@@ -6593,12 +8225,12 @@
or service account) of the request.\n See
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names
are escaped according to the following rules
when accessed in the expression:\n- '__'
@@ -6617,10 +8249,10 @@
> 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
> 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list
- type of 'set' or 'map' ignores element order,
+ > 0\"}\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order,
i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
semantics of the list type:\n - 'set':
`X + Y` performs a union where the array
@@ -6692,29 +8324,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -6727,22 +8359,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -6771,13 +8401,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -6795,9 +8427,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is
+ defined as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -6812,8 +8445,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or
@@ -6826,8 +8460,89 @@
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the
+ policy validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
in the list and looping over it to apply the specified
@@ -6849,8 +8564,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -6876,8 +8602,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -6887,9 +8618,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -6903,8 +8634,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -6952,8 +8702,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -7029,8 +8781,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -7240,8 +8994,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -7290,13 +9050,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -7326,8 +9097,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -7346,8 +9123,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -7404,19 +9187,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -7644,8 +9431,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -7696,13 +9489,25 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is
+ the regular expression to
+ match certificate issuer used
+ for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -7734,8 +9539,15 @@
verified identity used for
keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is
+ the regular expression to
+ match identity used for keyless
+ signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one
or more public keys.
@@ -7755,8 +9567,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -7815,19 +9633,25 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature
- algorithm for public keys.
- Supported values are sha224,
- sha256, sha384 and sha512.
+ description: Deprecated. Use
+ attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and
+ sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -7942,8 +9766,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type',
to be removed soon
type: string
@@ -8011,8 +9838,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -8061,13 +9894,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -8097,8 +9941,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for example
+ the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -8117,8 +9967,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -8175,22 +10031,38 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values are
+ ```
</details> |
Changes Rendered Chart sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
@@ -8275,42 +10147,58 @@
type: string
type:
description: |-
Type specifies the method of signature validation. The allowed options
- are Cosign and Notary. By default Cosign is used if a type is not specified.
+ are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message
+ to be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have
a digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
type: object
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -8349,14 +10237,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -8408,10 +10291,8 @@
required:
- generated
- message
type: object
- required:
- - ready
type: object
required:
- spec
type: object
@@ -8425,11 +10306,8 @@
type: boolean
- jsonPath: .spec.background
name: BACKGROUND
type: boolean
- - jsonPath: .spec.validationFailureAction
- name: VALIDATE ACTION
- type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
@@ -8507,30 +10385,31 @@
Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
- failurePolicy:
+ emitWarning:
+ default: false
description: |-
- FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
- Rules within the same policy share the same failure behavior.
- Allowed values are Ignore or Fail. Defaults to Fail.
+ EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit.
+ Enabling this option will extend admission request processing times. The default value is "false".
+ type: boolean
+ failurePolicy:
+ description: Deprecated, use failurePolicy under the webhookConfiguration
+ instead.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: |-
- GenerateExisting controls whether to trigger generate rule in existing resources
- If is set to "true" generate rule will be triggered and applied to existing matched resources.
- Defaults to "false" if not specified.
+ description: Deprecated, use generateExisting under the generate rule
+ instead
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: |-
- MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
- Default value is "false".
+ description: Deprecated, use mutateExistingOnPolicyUpdate under the
+ mutate rule instead
type: boolean
rules:
description: |-
Rules is a list of Rule instances. A Policy contains multiple rules and
@@ -8553,9 +10432,8 @@
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -8563,9 +10441,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -8576,9 +10453,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -8591,8 +10467,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -8617,8 +10504,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -8628,9 +10520,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -8644,8 +10536,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP
+ headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -8689,8 +10597,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -8763,15 +10673,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -8787,8 +10703,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -8849,13 +10769,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -8920,13 +10842,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -8993,8 +10917,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -9055,13 +10983,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9126,13 +11056,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9246,13 +11178,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9268,8 +11202,453 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list of
+ sub-elements by creating a context for each entry in the
+ list and looping over it to apply the specified logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data sources
+ that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains the
+ HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference is
+ a reference to a cached global context entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials provides
+ credentials that will be used for authentication
+ with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry allows
+ insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary JMESPath
+ context variable that can be defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary JSON
+ object representable in YAML or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -9341,8 +11720,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -9358,8 +11741,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -9420,13 +11807,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9491,13 +11880,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9564,8 +11955,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -9626,13 +12021,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9697,13 +12094,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9775,8 +12174,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -9801,8 +12211,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -9812,9 +12227,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -9828,8 +12243,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -9875,8 +12309,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -9950,8 +12386,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach iterator
@@ -10087,8 +12525,12 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if the
+ mutateExisting rule will be applied on policy events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -10115,8 +12557,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -10141,8 +12594,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -10152,9 +12610,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -10168,8 +12626,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -10215,8 +12692,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -10290,8 +12769,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -10309,8 +12790,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -10430,8 +12959,12 @@
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -10448,21 +12981,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -10474,15 +13004,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -10500,9 +13028,9 @@
description: "Expression represents the expression
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents of the
API request/response, organized into CEL variables
- as well as some other useful variables:\n\n\n-
+ as well as some other useful variables:\n\n-
'object' - The object from the incoming request.
The value is null for DELETE requests.\n- 'oldObject'
- The existing object. The value is null for
CREATE requests.\n- 'request' - Attributes of
@@ -10520,12 +13048,12 @@
checks for the principal (user or service account)
of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names are
escaped according to the following rules when
accessed in the expression:\n- '__' escapes
@@ -10543,9 +13071,9 @@
\ - Expression accessing a property named \"x-prop\":
{\"Expression\": \"object.x__dash__prop > 0\"}\n
\ - Expression accessing a property named \"redact__d\":
{\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list type
+ > 0\"}\n\nEquality on arrays with list type
of 'set' or 'map' ignores element order, i.e.
[1, 2] == [2, 1].\nConcatenation on arrays with
x-kubernetes-list-type use the semantics of
the list type:\n - 'set': `X + Y` performs
@@ -10617,29 +13145,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -10652,22 +13180,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -10696,13 +13222,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -10720,9 +13248,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is defined
+ as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -10737,8 +13266,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -10840,8 +13370,89 @@
type: object
type: array
type: object
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the policy
+ validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
list and looping over it to apply the specified logic.
@@ -10862,8 +13473,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -10888,8 +13510,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -10899,9 +13526,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -10915,8 +13542,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -10962,8 +13608,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -11037,8 +13685,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -11244,8 +13894,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -11294,13 +13950,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -11330,8 +13997,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used
+ for keyless signing, for example the
+ email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -11350,8 +14023,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -11407,18 +14086,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -11634,8 +14318,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -11684,13 +14374,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -11720,8 +14421,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -11740,8 +14447,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -11798,19 +14511,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -11925,8 +14642,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type', to
be removed soon
type: string
@@ -11994,8 +14714,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -12043,13 +14769,24 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -12078,8 +14815,14 @@
description: Subject is the verified identity
used for keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used for
+ keyless signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one or more public
keys.
@@ -12098,8 +14841,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -12154,22 +14903,33 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values are
- sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm for
+ public keys. Supported values are sha224,
+ sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
imageReferences:
description: |-
ImageReferences is a list of matching image reference patterns. At least one pattern in the
list must match the image for the rule to apply. Each image reference consists of a registry
@@ -12241,23 +15001,47 @@
Type specifies the method of signature validation. The allowed options
are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message to
+ be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have a
digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
schemaValidation:
@@ -12270,23 +15054,19 @@
Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: |-
- ValidationFailureAction defines if a validation policy rule violation should block
- the admission review request (enforce), or allow (audit) the admission review request
- and report an error in a policy report. Optional.
- Allowed values are audit or enforce. The default value is "Audit".
+ description: Deprecated, use validationFailureAction under the validate
+ rule instead.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
- description: |-
- ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
- namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+ description: Deprecated, use validationFailureActionOverrides under
+ the validate rule instead.
items:
properties:
action:
description: ValidationFailureAction defines the policy validation
@@ -12328,13 +15108,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -12350,14 +15132,25 @@
type: array
type: object
type: array
webhookConfiguration:
- description: |-
- WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
- Requires Kubernetes 1.27 or later.
+ description: WebhookConfiguration specifies the custom configuration
+ for Kubernetes admission webhookconfiguration.
properties:
+ failurePolicy:
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
+ Allowed values are Ignore or Fail. Defaults to Fail.
+ enum:
+ - Ignore
+ - Fail
+ type: string
matchConditions:
- description: MatchCondition configures admission webhook matchConditions.
+ description: |-
+ MatchCondition configures admission webhook matchConditions.
+ Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
@@ -12365,9 +15158,8 @@
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -12375,9 +15167,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -12388,22 +15179,26```
</details> |
Changes Rendered Chart @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
- name
type: object
type: array
+ timeoutSeconds:
+ description: |-
+ TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ format: int32
+ type: integer
type: object
webhookTimeoutSeconds:
- description: |-
- WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
- After the configured time expires, the admission request may fail, or may simply ignore the policy results,
- based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
+ instead.
format: int32
type: integer
type: object
status:
@@ -12426,16 +15221,15 @@
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
- must by fulfilled for a request to be sent to a webhook.
+ must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -12443,9 +15237,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -12456,9 +15249,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -12471,8 +15263,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -12497,8 +15300,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -12508,9 +15316,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -12524,8 +15332,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -12569,8 +15393,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -12644,15 +15470,21 @@
description: Value is any arbitrary JSON object
representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -12668,8 +15500,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -12730,13 +15566,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -12802,13 +15640,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -12875,8 +15715,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -12937,13 +15781,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13009,13 +15855,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13078,8 +15926,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13140,13 +15992,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13211,13 +16065,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13332,13 +16188,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13354,8 +16212,461 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list
+ of sub-elements by creating a context for each entry
+ in the list and looping over it to apply the specified
+ logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data
+ sources that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains
+ the HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data
+ value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap
+ reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference
+ is a reference to a cached global context
+ entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials
+ provides credentials that will be
+ used for authentication with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry
+ allows insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary
+ JMESPath context variable that can be
+ defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary
+ JSON object representable in YAML
+ or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -13427,8 +16738,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -13444,8 +16759,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13506,13 +16825,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13578,13 +16899,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13651,8 +16974,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13713,13 +17040,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13785,13 +17114,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13854,8 +17185,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13916,13 +17251,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13987,13 +17324,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -14064,8 +17403,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -14091,8 +17441,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -14102,9 +17457,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -14118,8 +17473,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -14167,8 +17541,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -14244,8 +17620,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach
@@ -14384,8 +17762,13 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if
+ the mutateExisting rule will be applied on policy
+ events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -14412,8 +17795,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -14439,8 +17833,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -14450,9 +17849,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -14466,8 +17865,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -14515,8 +17933,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -14592,8 +18012,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -14611,8 +18033,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -14630,8 +18100,15 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ reportProperties:
+ additionalProperties:
+ type: string
+ description: ReportProperties are the additional properties
+ from the rule that will be added to the policy report
+ result
+ type: object
skipBackgroundRequests:
default: true
description: |-
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
@@ -14640,13 +18117,23 @@
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
+ allowExistingViolations:
+ default: true
+ description: AllowExistingViolations allows prexisting
+ violating resources to continue violating a policy.
+ type: boolean
anyPattern:
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion
+ tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -14663,21 +18150,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -14689,15 +18173,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -14716,14 +18198,14 @@
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables:\n\n\n- 'object' - The object
- from the incoming request. The value is
- null for DELETE requests.\n- 'oldObject'
- - The existing object. The value is null
- for CREATE requests.\n- 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ variables:\n\n- 'object' - The object from
+ the incoming request. The value is null
+ for DELETE requests.\n- 'oldObject' - The
+ existing object. The value is null for CREATE
+ requests.\n- 'request' - Attributes of the
+ API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
'params' - Parameter resource referred to
by the policy binding being evaluated. Only
populated if the policy has a ParamKind.\n-
'namespaceObject' - The namespace object
@@ -14738,12 +18220,12 @@
or service account) of the request.\n See
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names
are escaped according to the following rules
when accessed in the expression:\n- '__'
@@ -14762,10 +18244,10 @@
> 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
> 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list
- type of 'set' or 'map' ignores element order,
+ > 0\"}\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order,
i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
semantics of the list type:\n - 'set':
`X + Y` performs a union where the array
@@ -14837,29 +18319,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -14872,22 +18354,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -14916,13 +18396,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -14940,9 +18422,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is
+ defined as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -14957,8 +18440,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or
@@ -14971,8 +18455,89 @@
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the
+ policy validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
in the list and looping over it to apply the specified
@@ -14994,8 +18559,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -15021,8 +18597,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -15032,9 +18613,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -15048,8 +18629,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -15097,8 +18697,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -15174,8 +18776,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -15385,8 +18989,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -15435,13 +19045,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -15471,8 +19092,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -15491,8 +19118,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -15549,19 +19182,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -15789,8 +19426,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -15841,13 +19484,25 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is
+ the regular expression to
+ match certificate issuer used
+ for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -15879,8 +19534,15 @@
verified identity used for
keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is
+ the regular expression to
+ match identity used for keyless
+ signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one
or more public keys.
@@ -15900,8 +19562,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -15960,19 +19628,25 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature
- algorithm for public keys.
- Supported values are sha224,
- sha256, sha384 and sha512.
+ description: Deprecated. Use
+ attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and
+ sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -16087,8 +19761,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type',
to be removed soon
type: string
@@ -16156,8 +19833,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -16206,13 +19889,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -16242,8 +19936,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for example
+ the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -16262,8 +19962,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -16320,22 +20026,38 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
@@ -16420,42 +20142,58 @@
type: string
type:
```
</details> |
Changes Rendered Chart description: |-
Type specifies the method of signature validation. The allowed options
- are Cosign and Notary. By default Cosign is used if a type is not specified.
+ are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message
+ to be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have
a digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
type: object
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -16494,14 +20232,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -16553,10 +20286,8 @@
required:
- generated
- message
type: object
- required:
- - ready
type: object
required:
- spec
type: object |
Changes Rendered Chartdiff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: policyexceptions.kyverno.io
spec:
group: kyverno.io
names:
@@ -176,8 +176,12 @@
type: array
match:
description: Match defines match clause used to check if a resource
applies to the exception
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -192,8 +196,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -253,13 +261,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -323,13 +333,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -395,8 +407,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -456,13 +472,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -526,13 +544,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -644,10 +664,11 @@
required:
- spec
type: object
served: true
- storage: false
- - name: v2alpha1
+ storage: true
+ - deprecated: true
+ name: v2beta1
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
policies.
@@ -796,8 +817,12 @@
type: array
match:
description: Match defines match clause used to check if a resource
applies to the exception
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -812,211 +837,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
+ not:
required:
- - kind
- name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- any:
- description: Any allows specifying resources which will be ORed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1076,13 +902,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1146,13 +974,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1203,224 +1033,10 @@
x-kubernetes-map-type: atomic
type: array
type: object
type: array
- type: object
- podSecurity:
- description: |-
- PodSecurity specifies the Pod Security Standard controls to be excluded.
- Applicable only to policies that have validate.podSecurity subrule.
- items:
- description: PodSecurityStandard specifies the Pod Security Standard
- controls to be excluded.
- properties:
- controlName:
- description: |-
- ControlName specifies the name of the Pod Security Standard control.
- See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
- enum:
- - HostProcess
- - Host Namespaces
- - Privileged Containers
- - Capabilities
- - HostPath Volumes
- - Host Ports
- - AppArmor
- - SELinux
- - /proc Mount Type
- - Seccomp
- - Sysctls
- - Volume Types
- - Privilege Escalation
- - Running as Non-root
- - Running as Non-root user
- type: string
- images:
- description: |-
- Images selects matching containers and applies the container level PSS.
- Each image is the image name consisting of the registry address, repository, image, and tag.
- Empty list matches no containers, PSS checks are applied at the pod level only.
- Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
- items:
- type: string
- type: array
- restrictedField:
- description: |-
- RestrictedField selects the field for the given Pod Security Standard control.
- When not set, all restricted fields for the control are selected.
- type: string
- values:
- description: Values defines the allowed values that can be excluded.
- items:
- type: string
- type: array
- required:
- - controlName
- type: object
- type: array
- required:
- - exceptions
- - match
- type: object
- required:
- - spec
- type: object
- served: false
- storage: false
- - name: v2beta1
- schema:
- openAPIV3Schema:
- description: PolicyException declares resources to be excluded from specified
- policies.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Spec declares policy exception behaviors.
- properties:
- background:
- description: |-
- Background controls if exceptions are applied to existing policies during a background scan.
- Optional. Default value is "true". The value must be set to "false" if the policy rule
- uses variables that are only available in the admission review request (e.g. user name).
- type: boolean
- conditions:
- description: |-
- Conditions are used to determine if a resource applies to the exception by evaluating a
- set of conditions. The declaration can contain nested `any` or `all` statements.
- properties:
- all:
- description: |-
- AllConditions enable variable-based conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition can reference object data
- using JMESPath notation.
- Here, all of the conditions need to pass.
- items:
- properties:
- key:
- description: Key is the context entry (using JMESPath) for
- conditional rule evaluation.
- x-kubernetes-preserve-unknown-fields: true
- message:
- description: Message is an optional display message
- type: string
- operator:
- description: |-
- Operator is the conditional operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan
- enum:
- - Equals
- - NotEquals
- - AnyIn
- - AllIn
- - AnyNotIn
- - AllNotIn
- - GreaterThanOrEquals
- - GreaterThan
- - LessThanOrEquals
- - LessThan
- - DurationGreaterThanOrEquals
- - DurationGreaterThan
- - DurationLessThanOrEquals
- - DurationLessThan
- type: string
- value:
- description: |-
- Value is the conditional value, or set of values. The values can be fixed set
- or can be variables declared using JMESPath.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: array
any:
- description: |-
- AnyConditions enable variable-based conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition can reference object data
- using JMESPath notation.
- Here, at least one of the conditions need to pass.
- items:
- properties:
- key:
- description: Key is the context entry (using JMESPath) for
- conditional rule evaluation.
- x-kubernetes-preserve-unknown-fields: true
- message:
- description: Message is an optional display message
- type: string
- operator:
- description: |-
- Operator is the conditional operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan
- enum:
- - Equals
- - NotEquals
- - AnyIn
- - AllIn
- - AnyNotIn
- - AllNotIn
- - GreaterThanOrEquals
- - GreaterThan
- - LessThanOrEquals
- - LessThan
- - DurationGreaterThanOrEquals
- - DurationGreaterThan
- - DurationLessThanOrEquals
- - DurationLessThan
- type: string
- value:
- description: |-
- Value is the conditional value, or set of values. The values can be fixed set
- or can be variables declared using JMESPath.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: array
- type: object
- exceptions:
- description: Exceptions is a list policy/rules to be excluded
- items:
- description: Exception stores infos about a policy and rules
- properties:
- policyName:
- description: |-
- PolicyName identifies the policy to which the exception is applied.
- The policy name uses the format <namespace>/<name> unless it
- references a ClusterPolicy.
- type: string
- ruleNames:
- description: RuleNames identifies the rules to which the exception
- is applied.
- items:
- type: string
- type: array
- required:
- - policyName
- - ruleNames
- type: object
- type: array
- match:
- description: Match defines match clause used to check if a resource
- applies to the exception
- properties:
- all:
- description: All allows specifying resources which will be ANDed
+ description: Any allows specifying resources which will be ORed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
@@ -1432,211 +1048,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
+ not:
required:
- - kind
- name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- any:
- description: Any allows specifying resources which will be ORed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1696,13 +1113,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1766,13 +1185,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1884,5 +1305,5 @@
required:
- spec
type: object
served: true
- storage: true
+ storage: false
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: updaterequests.kyverno.io
spec:
group: kyverno.io
names:
@@ -50,8 +50,9 @@
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ deprecated: true
name: v1beta1
schema:
openAPIV3Schema:
description: UpdateRequest is a request to process mutate and generate rules
@@ -144,16 +145,14 @@
description: |-
RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
-
For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
`apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
an API request to apps/v1beta1 deployments would be converted and sent to the webhook
with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
-
See documentation for the "matchPolicy" field in the webhook configuration type for more details.
properties:
group:
type: string
@@ -170,16 +169,14 @@
description: |-
RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
-
For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
`apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
an API request to apps/v1beta1 deployments would be converted and sent to the webhook
with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
-
See documentation for the "matchPolicy" field in the webhook configuration type.
properties:
group:
type: string
@@ -243,8 +240,9 @@
of.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
uid:
description: |-
A unique value that identifies this user across time. If this user is
deleted and another user by the same name is added, they will have
@@ -302,8 +300,9 @@
description: The names of groups this user is a part of.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
uid:
description: |-
A unique value that identifies this user across time. If this user is
deleted and another user by the same name is added, they will have
@@ -405,9 +404,9 @@
- state
type: object
type: object
served: true
- storage: true
+ storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.policy
@@ -457,9 +456,11 @@
spec:
description: ResourceSpec is the information to identify the trigger resource.
properties:
context:
- description: Context ...
+ description: |-
+ Context represents admission request context.
+ It is used upon admission review only and is shared across rules within the same UR.
properties:
admissionRequestInfo:
description: AdmissionRequestInfoObject stores the admission request
and operation details
@@ -524,16 +525,14 @@
description: |-
RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
-
For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
`apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
an API request to apps/v1beta1 deployments would be converted and sent to the webhook
with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
-
See documentation for the "matchPolicy" field in the webhook configuration type for more details.
properties:
group:
type: string
@@ -550,16 +549,14 @@
description: |-
RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
-
For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
`apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
an API request to apps/v1beta1 deployments would be converted and sent to the webhook
with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
-
See documentation for the "matchPolicy" field in the webhook configuration type.
properties:
group:
type: string
@@ -623,8 +620,9 @@
of.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
uid:
description: |-
A unique value that identifies this user across time. If this user is
deleted and another user by the same name is added, they will have
@@ -682,8 +680,9 @@
description: The names of groups this user is a part of.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
uid:
description: |-
A unique value that identifies this user across time. If this user is
deleted and another user by the same name is added, they will have
@@ -696,10 +695,11 @@
type: object
type: object
type: object
deleteDownstream:
- description: DeleteDownstream represents whether the downstream needs
- to be deleted.
+ description: |-
+ DeleteDownstream represents whether the downstream needs to be deleted.
+ Deprecated
type: boolean
policy:
description: Specifies the name of the policy.
type: string
@@ -731,12 +731,58 @@
type: object
rule:
description: Rule is the associate rule name of the current UR.
type: string
+ ruleContext:
+ description: |-
+ RuleContext is the associate context to apply rules.
+ optional
+ items:
+ properties:
+ deleteDownstream:
+ description: DeleteDownstream represents whether the downstream
+ needs to be deleted.
+ type: boolean
+ rule:
+ description: Rule is the associate rule name of the current
+ UR.
+ type: string
+ synchronize:
+ description: |-
+ Synchronize represents the sync behavior of the corresponding rule
+ Optional. Defaults to "false" if not specified.
+ type: boolean
+ trigger:
+ description: ResourceSpec is the information to identify the
+ trigger resource.
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ required:
+ - deleteDownstream
+ - rule
+ - trigger
+ type: object
+ type: array
synchronize:
description: |-
Synchronize represents the sync behavior of the corresponding rule
Optional. Defaults to "false" if not specified.
+ Deprecated, will be removed in 1.14.
type: boolean
required:
- context
- deleteDownstream
@@ -782,7 +828,7 @@
- state
type: object
type: object
served: true
- storage: false
+ storage: true
subresources:
status: {}
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: clusterephemeralreports.reports.kyverno.io
spec:
group: reports.kyverno.io
names:
@@ -186,13 +186,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -205,26 +207,10 @@
resources:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: |-
- ObjectReference contains enough information to let you inspect or modify the referred object.
- ---
- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
- 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
- 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
- restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
- Those cannot be well described when embedded.
- 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
- 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
- during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
- and the version of the actual struct is irrelevant.
- 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
- will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
-
-
- Instead of using this type, create a locally provided and used type that is well-focused on your reference.
- For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
+ description: ObjectReference contains enough information to
+ let you inspect or modify the referred object.
properties:
apiVersion:
description: API version of the referent.
type: string
@@ -236,9 +222,8 @@
"spec.containers{name}" (where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined way of
referencing a part of an object.
- TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
description: |-
Kind of the referent.
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: ephemeralreports.reports.kyverno.io
spec:
group: reports.kyverno.io
names:
@@ -186,13 +186,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -205,26 +207,10 @@
resources:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: |-
- ObjectReference contains enough information to let you inspect or modify the referred object.
- ---
- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
- 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
- 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
- restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
- Those cannot be well described when embedded.
- 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
- 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
- during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
- and the version of the actual struct is irrelevant.
- 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
- will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
-
-
- Instead of using this type, create a locally provided and used type that is well-focused on your reference.
- For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
+ description: ObjectReference contains enough information to
+ let you inspect or modify the referred object.
properties:
apiVersion:
description: API version of the referent.
type: string
@@ -236,9 +222,8 @@
"spec.containers{name}" (where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined way of
referencing a part of an object.
- TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
description: |-
Kind of the referent.
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: clusterpolicyreports.wgpolicyk8s.io
spec:
group: wgpolicyk8s.io
names:
@@ -126,13 +126,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -145,26 +147,10 @@
resources:
description: Subjects is an optional reference to the checked Kubernetes
resources
items:
- description: |-
- ObjectReference contains enough information to let you inspect or modify the referred object.
- ---
- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
- 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
- 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
- restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
- Those cannot be well described when embedded.
- 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
- 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
- during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
- and the version of the actual struct is irrelevant.
- 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
- will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
-
-
- Instead of using this type, create a locally provided and used type that is well-focused on your reference.
- For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
+ description: ObjectReference contains enough information to let
+ you inspect or modify the referred object.
properties:
apiVersion:
description: API version of the referent.
type: string
@@ -176,9 +162,8 @@
"spec.containers{name}" (where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined way of
referencing a part of an object.
- TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
description: |-
Kind of the referent.
@@ -277,9 +262,8 @@
"spec.containers{name}" (where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined way of
referencing a part of an object.
- TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
description: |-
Kind of the referent.
@@ -337,13 +321,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
diff -U 4 -r out/target/falco/values-k3d.yaml/sx-falco/charts/falco/templates/daemonset.yaml out/pr/falco/values-k3d.yaml/sx-falco/charts/falco/templates/daemonset.yaml
--- out/target/falco/values-k3d.yaml/sx-falco/charts/falco/templates/daemonset.yaml 2024-11-22 16:44:49.712319644 +0000
+++ out/pr/falco/values-k3d.yaml/sx-falco/charts/falco/templates/daemonset.yaml 2024-11-22 16:44:18.176484390 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-falco
namespace: default
labels:
- helm.sh/chart: falco-4.11.1
+ helm.sh/chart: falco-4.14.1
app.kubernetes.io/name: falco
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "0.39.1"
app.kubernetes.io/managed-by: Helm
@@ -22,9 +22,9 @@
labels:
app.kubernetes.io/name: falco
app.kubernetes.io/instance: release-name
annotations:
- checksum/config: 7fb71e394a95d8fa8e003fb88c1c50ebb49871633c58a4357331af9f92655caf
+ checksum/config: 48f0e189671b9df6ce1053f72b59dbb2760a4269123968d8384be15c5edff208
checksum/rules: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
checksum/certs: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
spec:
serviceAccountName: release-name-falco
@@ -119,9 +119,8 @@
- mountPath: /rulesfiles
name: rulesfiles-install-dir
- mountPath: /etc/falcoctl
name: falcoctl-config-volume
- env:
initContainers:
- name: falcoctl-artifact-install
image: docker.io/falcosecurity/falcoctl:0.10.0
imagePullPolicy: IfNotPresent
@@ -136,9 +135,8 @@
- mountPath: /rulesfiles
name: rulesfiles-install-dir
- mountPath: /etc/falcoctl
name: falcoctl-config-volume
- env:
volumes:
- name: plugins-install-dir
emptyDir: {}
- name: rulesfiles-install-dir
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: policyreports.wgpolicyk8s.io
spec:
group: wgpolicyk8s.io
names:
@@ -125,13 +125,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -144,26 +146,10 @@
resources:
description: Subjects is an optional reference to the checked Kubernetes
resources
items:
- description: |-
- ObjectReference contains enough information to let you inspect or modify the referred object.
- ---
- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
- 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
- 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
- restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
- Those cannot be well described when embedded.
- 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
- 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
- during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
- and the version of the actual struct is irrelevant.
- 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
- will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
-
-
- Instead of using this type, create a locally provided and used type that is well-focused on your reference.
- For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
+ description: ObjectReference contains enough information to let
+ you inspect or modify the referred object.
properties:
apiVersion:
description: API version of the referent.
type: string
@@ -175,9 +161,8 @@
"spec.containers{name}" (where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined way of
referencing a part of an object.
- TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
description: |-
Kind of the referent.
@@ -276,9 +261,8 @@
"spec.containers{name}" (where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined way of
referencing a part of an object.
- TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
description: |-
Kind of the referent.
@@ -336,13 +320,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrole.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrole.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrole.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrole.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -8,13 +8,15 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-admission-controller: "true"
+ - matchLabels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/part-of: release-name-kyverno
---
@@ -27,10 +29,10 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
@@ -71,12 +73,8 @@
- updaterequests
- updaterequests/status
- globalcontextentries
- globalcontextentries/status
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- policyexceptions
verbs:
- create
- delete
@@ -150,12 +148,4 @@
- patch
- get
- list
- watch
- - apiGroups:
- - '*'
- resources:
- - '*'
- verbs:
- - get
- - list
- - watch
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -8,14 +8,35 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-kyverno:admission-controller
subjects:
- kind: ServiceAccount
name: kyverno-admission-controller
namespace: default
+---
+# Source: sx-kyverno/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: release-name-kyverno:admission-controller:view
+ labels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: release-name
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: release-name-kyverno
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: view
+subjects:
+ - kind: ServiceAccount
+ name: kyverno-admission-controller
+ namespace: default
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/deployment.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/deployment.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/deployment.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/deployment.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
replicas: 1
revisionHistoryLimit: 10
strategy:
@@ -31,10 +31,10 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
dnsPolicy: ClusterFirst
affinity:
podAntiAffinity:
@@ -50,9 +50,9 @@
weight: 1
serviceAccountName: kyverno-admission-controller
initContainers:
- name: kyverno-pre
- image: "ghcr.io/kyverno/kyvernopre:v1.12.6"
+ image: "ghcr.io/kyverno/kyvernopre:v1.13.1"
imagePullPolicy: IfNotPresent
args:
- --loggingFormat=text
- --v=2
@@ -75,8 +75,10 @@
type: RuntimeDefault
env:
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-admission-controller
+ - name: KYVERNO_ROLE_NAME
+ value: release-name-kyverno:admission-controller
- name: INIT_CONFIG
value: release-name-kyverno
- name: METRICS_CONFIG
value: release-name-kyverno-metrics
@@ -93,16 +95,18 @@
- name: KYVERNO_SVC
value: release-name-kyverno-svc
containers:
- name: kyverno
- image: "ghcr.io/kyverno/kyverno:v1.12.6"
+ image: "ghcr.io/kyverno/kyverno:v1.13.1"
imagePullPolicy: IfNotPresent
args:
- --caSecretName=release-name-kyverno-svc.default.svc.kyverno-tls-ca
- --tlsSecretName=release-name-kyverno-svc.default.svc.kyverno-tls-pair
- --backgroundServiceAccountName=system:serviceaccount:default:kyverno-background-controller
+ - --reportsServiceAccountName=system:serviceaccount:default:kyverno-reports-controller
- --servicePort=443
- --webhookServerPort=9443
+ - --resyncPeriod=15m
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
- --admissionReports=true
@@ -112,16 +116,18 @@
- --enableDeferredLoading=true
- --dumpPayload=false
- --forceFailurePolicyIgnore=false
- --generateValidatingAdmissionPolicy=false
+ - --dumpPatches=false
- --maxAPICallResponseLength=2000000
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyApplied,PolicySkipped
- - --enablePolicyException=true
+ - --enablePolicyException=false
- --protectManagedResources=false
- --allowInsecureRegistry=false
- --registryCredentialHelpers=default,google,amazon,azure,github
+ - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
resources:
limits:
memory: 1Gi
@@ -160,8 +166,10 @@
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-admission-controller
+ - name: KYVERNO_ROLE_NAME
+ value: release-name-kyverno:admission-controller
- name: KYVERNO_SVC
value: release-name-kyverno-svc
- name: TUF_ROOT
value: /.sigstore
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/role.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/role.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/role.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/role.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -9,19 +9,21 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rules:
- apiGroups:
- ''
resources:
- secrets
+ - serviceaccounts
verbs:
- get
- list
- watch
+ - patch
- create
- update
- delete
- apiGroups:
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/rolebinding.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/rolebinding.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/rolebinding.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/rolebinding.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: release-name-kyverno:admission-controller
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/service.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/service.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/service.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/service.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -9,16 +9,17 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
ports:
- port: 443
targetPort: https
protocol: TCP
name: https
+ appProtocol: https
selector:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/part-of: release-name-kyverno
@@ -34,10 +35,10 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
ports:
- port: 8000
targetPort: 8000
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/serviceaccount.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/serviceaccount.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/serviceaccount.yaml 2024-11-22 16:45:00.112261453 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/serviceaccount.yaml 2024-11-22 16:44:28.796436641 +0000
@@ -9,6 +9,6 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/servicemonitor.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/servicemonitor.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/servicemonitor.yaml 2024-11-22 16:45:00.120261418 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/servicemonitor.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
selector:
matchLabels:
app.kubernetes.io/component: admission-controller
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrole.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrole.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrole.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrole.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -8,13 +8,15 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-background-controller: "true"
+ - matchLabels:
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/part-of: release-name-kyverno
---
@@ -27,10 +29,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
@@ -40,9 +42,11 @@
- apiGroups:
- kyverno.io
resources:
- policies
+ - policies/status
- clusterpolicies
+ - clusterpolicies/status
- policyexceptions
- updaterequests
- updaterequests/status
- globalcontextentries
@@ -77,15 +81,21 @@
- patch
- update
- watch
- apiGroups:
- - '*'
+ - reports.kyverno.io
resources:
- - '*'
+ - ephemeralreports
+ - clusterephemeralreports
verbs:
- - get
- - list
- - watch
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - deletecollection
- apiGroups:
- networking.k8s.io
resources:
- ingresses
@@ -109,9 +119,8 @@
- apiGroups:
- ""
resources:
- configmaps
- - secrets
- resourcequotas
- limitranges
verbs:
- create
diff -U 4 -r out/target/falco/values-k3d.yaml/sx-falco/charts/falco/templates/falcoctl-configmap.yaml out/pr/falco/values-k3d.yaml/sx-falco/charts/falco/templates/falcoctl-configmap.yaml
--- out/target/falco/values-k3d.yaml/sx-falco/charts/falco/templates/falcoctl-configmap.yaml 2024-11-22 16:44:49.712319644 +0000
+++ out/pr/falco/values-k3d.yaml/sx-falco/charts/falco/templates/falcoctl-configmap.yaml 2024-11-22 16:44:18.176484390 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-falco-falcoctl
namespace: default
labels:
- helm.sh/chart: falco-4.11.1
+ helm.sh/chart: falco-4.14.1
app.kubernetes.io/name: falco
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "0.39.1"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrolebinding.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrolebinding.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrolebinding.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrolebinding.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -8,14 +8,35 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-kyverno:background-controller
subjects:
- kind: ServiceAccount
name: kyverno-background-controller
namespace: default
+---
+# Source: sx-kyverno/charts/kyverno/templates/background-controller/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: release-name-kyverno:background-controller:view
+ labels:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: release-name
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: release-name-kyverno
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: view
+subjects:
+- kind: ServiceAccount
+ name: kyverno-background-controller
+ namespace: default
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/deployment.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/deployment.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/deployment.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/deployment.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
replicas: 1
revisionHistoryLimit: 10
strategy:
@@ -31,10 +31,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
dnsPolicy: ClusterFirst
affinity:
podAntiAffinity:
@@ -50,9 +50,9 @@
weight: 1
serviceAccountName: kyverno-background-controller
containers:
- name: controller
- image: "ghcr.io/kyverno/background-controller:v1.12.6"
+ image: "ghcr.io/kyverno/background-controller:v1.13.1"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
@@ -64,15 +64,17 @@
args:
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
+ - --resyncPeriod=15m
- --enableConfigMapCaching=true
- --enableDeferredLoading=true
- --maxAPICallResponseLength=2000000
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyApplied,PolicySkipped
- - --enablePolicyException=true
+ - --enablePolicyException=false
+ - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
env:
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-background-controller
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/role.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/role.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/role.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/role.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
namespace: default
rules:
- apiGroups:
- ''
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/rolebinding.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/rolebinding.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/rolebinding.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/rolebinding.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/service.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/service.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/service.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/service.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
ports:
- port: 8000
targetPort: 8000
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/serviceaccount.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/serviceaccount.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/serviceaccount.yaml 2024-11-22 16:45:00.112261453 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/serviceaccount.yaml 2024-11-22 16:44:28.796436641 +0000
@@ -9,6 +9,6 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/servicemonitor.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/servicemonitor.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/servicemonitor.yaml 2024-11-22 16:45:00.120261418 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/background-controller/servicemonitor.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
selector:
matchLabels:
app.kubernetes.io/component: background-controller
Only in out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates: cleanup
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrole.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrole.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrole.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrole.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -8,13 +8,15 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-cleanup-controller: "true"
+ - matchLabels:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/part-of: release-name-kyverno
---
@@ -27,10 +29,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrolebinding.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrolebinding.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrolebinding.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrolebinding.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-kyverno:cleanup-controller
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/deployment.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/deployment.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/deployment.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/deployment.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
replicas: 1
revisionHistoryLimit: 10
strategy:
@@ -31,10 +31,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
dnsPolicy: ClusterFirst
affinity:
podAntiAffinity:
@@ -50,9 +50,9 @@
weight: 1
serviceAccountName: kyverno-cleanup-controller
containers:
- name: controller
- image: "ghcr.io/kyverno/cleanup-controller:v1.12.6"
+ image: "ghcr.io/kyverno/cleanup-controller:v1.13.1"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
@@ -66,8 +66,9 @@
- --tlsSecretName=kyverno-cleanup-controller.default.svc.kyverno-tls-pair
- --servicePort=443
- --cleanupServerPort=9443
- --webhookServerPort=9443
+ - --resyncPeriod=15m
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
- --enableDeferredLoading=true
@@ -90,8 +91,10 @@
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-cleanup-controller
+ - name: KYVERNO_ROLE_NAME
+ value: release-name-kyverno:cleanup-controller
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
diff -U 4 -r out/target/falco/values-k3d.yaml/sx-falco/charts/falco/templates/serviceaccount.yaml out/pr/falco/values-k3d.yaml/sx-falco/charts/falco/templates/serviceaccount.yaml
--- out/target/falco/values-k3d.yaml/sx-falco/charts/falco/templates/serviceaccount.yaml 2024-11-22 16:44:49.708319680 +0000
+++ out/pr/falco/values-k3d.yaml/sx-falco/charts/falco/templates/serviceaccount.yaml 2024-11-22 16:44:18.176484390 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-falco
namespace: default
labels:
- helm.sh/chart: falco-4.11.1
+ helm.sh/chart: falco-4.14.1
app.kubernetes.io/name: falco
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "0.39.1"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/role.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/role.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/role.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/role.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
namespace: default
rules:
- apiGroups:
- ''
@@ -59,4 +59,12 @@
- patch
- update
resourceNames:
- kyverno-cleanup-controller
+ - apiGroups:
+ - apps
+ resources:
+ - deployments
+ verbs:
+ - get
+ - list
+ - watch
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/rolebinding.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/rolebinding.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/rolebinding.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/rolebinding.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/service.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/service.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/service.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/service.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -9,16 +9,17 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
ports:
- port: 443
targetPort: https
protocol: TCP
name: https
+ appProtocol: https
selector:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/part-of: release-name-kyverno
@@ -34,10 +35,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
ports:
- port: 8000
targetPort: 8000
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml 2024-11-22 16:45:00.112261453 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml 2024-11-22 16:44:28.796436641 +0000
@@ -9,6 +9,6 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml 2024-11-22 16:45:00.120261418 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml 2024-11-22 16:44:28.808436586 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
selector:
matchLabels:
app.kubernetes.io/component: cleanup-controller
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/config/configmap.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/config/configmap.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/config/configmap.yaml 2024-11-22 16:45:00.112261453 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/config/configmap.yaml 2024-11-22 16:44:28.796436641 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: config
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/resource-policy: "keep"
data:
enableDefaultRegistryMutation: "true"
@@ -35,16 +35,10 @@
[Binding,*,*]
[Pod/binding,*,*]
[ReplicaSet,*,*]
[ReplicaSet/*,*,*]
- [AdmissionReport,*,*]
- [AdmissionReport/*,*,*]
- [ClusterAdmissionReport,*,*]
- [ClusterAdmissionReport/*,*,*]
- [BackgroundScanReport,*,*]
- [BackgroundScanReport/*,*,*]
- [ClusterBackgroundScanReport,*,*]
- [ClusterBackgroundScanReport/*,*,*]
+ [EphemeralReport,*,*]
+ [ClusterEphemeralReport,*,*]
[ClusterRole,*,release-name-kyverno:admission-controller]
[ClusterRole,*,release-name-kyverno:admission-controller:core]
[ClusterRole,*,release-name-kyverno:admission-controller:additional]
[ClusterRole,*,release-name-kyverno:background-controller]
@@ -129,6 +123,7 @@
[ServiceMonitor,default,kyverno-cleanup-controller]
[ServiceMonitor,default,kyverno-reports-controller]
[Secret,default,release-name-kyverno-svc.default.svc.*]
[Secret,default,kyverno-cleanup-controller.default.svc.*]
- webhooks: "[{\"namespaceSelector\":{\"matchExpressions\":[{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kyverno\",\"kube-system\"]},{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"default\"]}],\"matchLabels\":null}}]"
+ updateRequestThreshold: "1000"
+ webhooks: "{\"namespaceSelector\":{\"matchExpressions\":[{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kyverno\",\"kube-system\"]},{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"default\"]}],\"matchLabels\":null}}"
webhookAnnotations: "{\"admissions.enforcer/disabled\":\"true\"}"
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/config/metricsconfigmap.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/config/metricsconfigmap.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/config/metricsconfigmap.yaml 2024-11-22 16:45:00.112261453 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/config/metricsconfigmap.yaml 2024-11-22 16:44:28.796436641 +0000
@@ -9,9 +9,10 @@
app.kubernetes.io/component: config
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
data:
namespaces: "{\"exclude\":[],\"include\":[]}"
+ metricsExposure: "{\"kyverno_admission_requests_total\":{\"disabledLabelDimensions\":[\"resource_namespace\"]},\"kyverno_admission_review_duration_seconds\":{\"disabledLabelDimensions\":[\"resource_namespace\"]},\"kyverno_cleanup_controller_deletedobjects_total\":{\"disabledLabelDimensions\":[\"resource_namespace\",\"policy_namespace\"]},\"kyverno_policy_execution_duration_seconds\":{\"disabledLabelDimensions\":[\"resource_namespace\",\"resource_request_operation\"]},\"kyverno_policy_results_total\":{\"disabledLabelDimensions\":[\"resource_namespace\",\"policy_namespace\"]},\"kyverno_policy_rule_info_total\":{\"disabledLabelDimensions\":[\"resource_namespace\",\"policy_namespace\"]}}"
bucketBoundaries: "0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 15, 20, 25, 30"
Only in out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/hooks: post-delete-configmap.yaml
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml 2024-11-22 16:45:00.120261418 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml 2024-11-22 16:44:28.808436586 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
spec:
@@ -23,9 +23,9 @@
serviceAccount: kyverno-admission-controller
restartPolicy: Never
containers:
- name: kubectl
- image: "bitnami/kubectl:1.28.5"
+ image: "bitnami/kubectl:1.30.2"
imagePullPolicy:
command:
- /bin/bash
- -c
@@ -45,9 +45,9 @@
fi
done
COUNT=$(kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | wc -l)
-
+
if [ $COUNT -gt 0 ]; then
echo "deleting $COUNT clusterpolicyreports"
kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete clusterpolicyreports.wgpolicyk8s.io
else |
Changes Rendered Chartdiff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml 2024-11-22 16:45:00.120261418 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml 2024-11-22 16:44:28.808436586 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "100"
@@ -26,10 +26,10 @@
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "100"
@@ -64,10 +64,10 @@
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "100"
@@ -90,10 +90,10 @@
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "200"
@@ -105,23 +105,15 @@
serviceAccount: release-name-kyverno-migrate-resources
restartPolicy: Never
containers:
- name: kubectl
- image: "ghcr.io/kyverno/kyverno-cli:v1.12.6"
+ image: "ghcr.io/kyverno/kyverno-cli:v1.13.1"
imagePullPolicy: IfNotPresent
args:
- migrate
- --resource
- - admissionreports.kyverno.io
- - --resource
- - backgroundscanreports.kyverno.io
- - --resource
- cleanuppolicies.kyverno.io
- --resource
- - clusteradmissionreports.kyverno.io
- - --resource
- - clusterbackgroundscanreports.kyverno.io
- - --resource
- clustercleanuppolicies.kyverno.io
- --resource
- clusterpolicies.kyverno.io
- --resource
Only in out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/hooks: pre-delete-configmap.yaml
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml 2024-11-22 16:45:00.120261418 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml 2024-11-22 16:44:28.808436586 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: pre-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "100"
@@ -24,9 +24,9 @@
serviceAccount: kyverno-admission-controller
restartPolicy: Never
containers:
- name: kubectl
- image: "bitnami/kubectl:1.28.5"
+ image: "bitnami/kubectl:1.30.2"
imagePullPolicy:
command:
- /bin/bash
- '-c'
diff -U 4 -r out/target/falco/values-uibklab.yaml/sx-falco/charts/falco/templates/configmap.yaml out/pr/falco/values-uibklab.yaml/sx-falco/charts/falco/templates/configmap.yaml
--- out/target/falco/values-uibklab.yaml/sx-falco/charts/falco/templates/configmap.yaml 2024-11-22 16:44:49.804318817 +0000
+++ out/pr/falco/values-uibklab.yaml/sx-falco/charts/falco/templates/configmap.yaml 2024-11-22 16:44:18.260484015 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-falco
namespace: default
labels:
- helm.sh/chart: falco-4.11.1
+ helm.sh/chart: falco-4.14.1
app.kubernetes.io/name: falco
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "0.39.1"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/rbac/policies.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/rbac/policies.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/rbac/policies.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/rbac/policies.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- kyverno.io
@@ -38,10 +38,10 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- kyverno.io
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/rbac/policyreports.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/rbac/policyreports.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/rbac/policyreports.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/rbac/policyreports.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- wgpolicyk8s.io
@@ -36,10 +36,10 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- wgpolicyk8s.io
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/rbac/reports.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/rbac/reports.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/rbac/reports.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/rbac/reports.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -8,28 +8,13 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- - apiGroups:
- reports.kyverno.io
resources:
- ephemeralreports
- clusterephemeralreports
@@ -51,24 +36,13 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- reports.kyverno.io
resources:
- ephemeralreports
- clusterephemeralreports
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/rbac/updaterequests.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/rbac/updaterequests.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/rbac/updaterequests.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/rbac/updaterequests.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- kyverno.io
@@ -35,10 +35,10 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- kyverno.io
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrole.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrole.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrole.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrole.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -8,13 +8,15 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-reports-controller: "true"
+ - matchLabels:
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/part-of: release-name-kyverno
---
@@ -27,10 +29,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
@@ -39,9 +41,8 @@
- get
- apiGroups:
- ''
resources:
- - secrets
- configmaps
- namespaces
verbs:
- get
@@ -51,12 +52,8 @@
- kyverno.io
resources:
- globalcontextentries
- globalcontextentries/status
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- policyexceptions
- policies
- clusterpolicies
verbs:
@@ -105,12 +102,4 @@
- events
verbs:
- create
- patch
- - apiGroups:
- - '*'
- resources:
- - '*'
- verbs:
- - get
- - list
- - watch
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -8,14 +8,35 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-kyverno:reports-controller
subjects:
- kind: ServiceAccount
name: kyverno-reports-controller
namespace: default
+---
+# Source: sx-kyverno/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: release-name-kyverno:reports-controller:view
+ labels:
+ app.kubernetes.io/component: reports-controller
+ app.kubernetes.io/instance: release-name
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: release-name-kyverno
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: view
+subjects:
+- kind: ServiceAccount
+ name: kyverno-reports-controller
+ namespace: default
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/deployment.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/deployment.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/deployment.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/deployment.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
replicas: 1
revisionHistoryLimit: 10
strategy:
@@ -31,10 +31,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
dnsPolicy: ClusterFirst
affinity:
podAntiAffinity:
@@ -50,9 +50,9 @@
weight: 1
serviceAccountName: kyverno-reports-controller
containers:
- name: controller
- image: "ghcr.io/kyverno/reports-controller:v1.12.6"
+ image: "ghcr.io/kyverno/reports-controller:v1.13.1"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
@@ -64,8 +64,9 @@
args:
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
+ - --resyncPeriod=15m
- --admissionReports=true
- --aggregateReports=true
- --policyReports=true
- --validatingAdmissionPolicyReports=false
@@ -78,12 +79,12 @@
- --maxAPICallResponseLength=2000000
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyApplied,PolicySkipped
- - --enablePolicyException=true
- - --reportsChunkSize=0
+ - --enablePolicyException=false
- --allowInsecureRegistry=false
- --registryCredentialHelpers=default,google,amazon,azure,github
+ - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
env:
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-reports-controller
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/role.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/role.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/role.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/role.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
namespace: default
rules:
- apiGroups:
- ''
@@ -24,8 +24,16 @@
resourceNames:
- release-name-kyverno
- release-name-kyverno-metrics
- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/rolebinding.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/rolebinding.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/rolebinding.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/rolebinding.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/service.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/service.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/service.yaml 2024-11-22 16:45:00.116261436 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/service.yaml 2024-11-22 16:44:28.804436605 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
ports:
- port: 8000
targetPort: 8000
diff -U 4 -r out/target/falco/values-uibklab.yaml/sx-falco/charts/falco/templates/daemonset.yaml out/pr/falco/values-uibklab.yaml/sx-falco/charts/falco/templates/daemonset.yaml
--- out/target/falco/values-uibklab.yaml/sx-falco/charts/falco/templates/daemonset.yaml 2024-11-22 16:44:49.804318817 +0000
+++ out/pr/falco/values-uibklab.yaml/sx-falco/charts/falco/templates/daemonset.yaml 2024-11-22 16:44:18.260484015 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-falco
namespace: default
labels:
- helm.sh/chart: falco-4.11.1
+ helm.sh/chart: falco-4.14.1
app.kubernetes.io/name: falco
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "0.39.1"
app.kubernetes.io/managed-by: Helm
@@ -22,9 +22,9 @@
labels:
app.kubernetes.io/name: falco
app.kubernetes.io/instance: release-name
annotations:
- checksum/config: 7fb71e394a95d8fa8e003fb88c1c50ebb49871633c58a4357331af9f92655caf
+ checksum/config: 48f0e189671b9df6ce1053f72b59dbb2760a4269123968d8384be15c5edff208
checksum/rules: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
checksum/certs: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
spec:
serviceAccountName: release-name-falco
@@ -119,9 +119,8 @@
- mountPath: /rulesfiles
name: rulesfiles-install-dir
- mountPath: /etc/falcoctl
name: falcoctl-config-volume
- env:
initContainers:
- name: falcoctl-artifact-install
image: docker.io/falcosecurity/falcoctl:0.10.0
imagePullPolicy: IfNotPresent
@@ -136,9 +135,8 @@
- mountPath: /rulesfiles
name: rulesfiles-install-dir
- mountPath: /etc/falcoctl
name: falcoctl-config-volume
- env:
volumes:
- name: plugins-install-dir
emptyDir: {}
- name: rulesfiles-install-dir
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/serviceaccount.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/serviceaccount.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/serviceaccount.yaml 2024-11-22 16:45:00.112261453 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/serviceaccount.yaml 2024-11-22 16:44:28.796436641 +0000
@@ -9,6 +9,6 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/servicemonitor.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/servicemonitor.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/servicemonitor.yaml 2024-11-22 16:45:00.120261418 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/servicemonitor.yaml 2024-11-22 16:44:28.808436586 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
selector:
matchLabels:
app.kubernetes.io/component: reports-controller
Only in out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests: admission-controller-liveness.yaml
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests/admission-controller-metrics.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests/admission-controller-metrics.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests/admission-controller-metrics.yaml 2024-11-22 16:45:00.120261418 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests/admission-controller-metrics.yaml 2024-11-22 16:44:28.808436586 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: test
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: test
spec:
restartPolicy: Never
Only in out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests: admission-controller-readiness.yaml
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml 2024-11-22 16:45:00.120261418 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml 2024-11-22 16:44:28.808436586 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: test
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: test
spec:
restartPolicy: Never
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml 2024-11-22 16:45:00.120261418 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml 2024-11-22 16:44:28.808436586 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: test
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: test
spec:
restartPolicy: Never
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml 2024-11-22 16:45:00.120261418 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml 2024-11-22 16:44:28.808436586 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: test
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: test
spec:
restartPolicy: Never
diff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests/reports-controller-metrics.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests/reports-controller-metrics.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests/reports-controller-metrics.yaml 2024-11-22 16:45:00.120261418 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/templates/tests/reports-controller-metrics.yaml 2024-11-22 16:44:28.808436586 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: test
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: test
spec:
restartPolicy: Never
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/backend/clusterrole.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/backend/clusterrole.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/backend/clusterrole.yaml 2024-11-22 16:45:02.692250076 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/backend/clusterrole.yaml 2024-11-22 16:44:31.408424750 +0000
@@ -3,9 +3,9 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/backend/clusterrolebinding.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/backend/clusterrolebinding.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/backend/clusterrolebinding.yaml 2024-11-22 16:45:02.692250076 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/backend/clusterrolebinding.yaml 2024-11-22 16:44:31.408424750 +0000
@@ -4,9 +4,9 @@
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: release-name-loki-clusterrolebinding
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/config.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/config.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/config.yaml 2024-11-22 16:45:02.688250094 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/config.yaml 2024-11-22 16:44:31.404424769 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/falco/values-uibklab.yaml/sx-falco/charts/falco/templates/falcoctl-configmap.yaml out/pr/falco/values-uibklab.yaml/sx-falco/charts/falco/templates/falcoctl-configmap.yaml
--- out/target/falco/values-uibklab.yaml/sx-falco/charts/falco/templates/falcoctl-configmap.yaml 2024-11-22 16:44:49.804318817 +0000
+++ out/pr/falco/values-uibklab.yaml/sx-falco/charts/falco/templates/falcoctl-configmap.yaml 2024-11-22 16:44:18.260484015 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-falco-falcoctl
namespace: default
labels:
- helm.sh/chart: falco-4.11.1
+ helm.sh/chart: falco-4.14.1
app.kubernetes.io/name: falco
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "0.39.1"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/gateway/configmap-gateway.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/gateway/configmap-gateway.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/gateway/configmap-gateway.yaml 2024-11-22 16:45:02.688250094 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/gateway/configmap-gateway.yaml 2024-11-22 16:44:31.404424769 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki-gateway
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/gateway/deployment-gateway-nginx.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/gateway/deployment-gateway-nginx.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/gateway/deployment-gateway-nginx.yaml 2024-11-22 16:45:02.692250076 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/gateway/deployment-gateway-nginx.yaml 2024-11-22 16:44:31.408424750 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki-gateway
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
@@ -24,9 +24,9 @@
app.kubernetes.io/component: gateway
template:
metadata:
annotations:
- checksum/config: e215354cf07ecff71fc2ce50866913c6b4b6366ced507bee88b7ca39de94d425
+ checksum/config: be4ab76f3040390f4a4b7572a6963da71a57a82a4453398a53c8f6e5045beadb
labels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: gateway
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/gateway/ingress-gateway.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/gateway/ingress-gateway.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/gateway/ingress-gateway.yaml 2024-11-22 16:45:02.692250076 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/gateway/ingress-gateway.yaml 2024-11-22 16:44:31.408424750 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki-gateway
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/gateway/service-gateway.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/gateway/service-gateway.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/gateway/service-gateway.yaml 2024-11-22 16:45:02.692250076 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/gateway/service-gateway.yaml 2024-11-22 16:44:31.408424750 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki-gateway
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/loki-canary/daemonset.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/loki-canary/daemonset.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/loki-canary/daemonset.yaml 2024-11-22 16:45:02.692250076 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/loki-canary/daemonset.yaml 2024-11-22 16:44:31.408424750 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-canary
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/loki-canary/service.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/loki-canary/service.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/loki-canary/service.yaml 2024-11-22 16:45:02.692250076 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/loki-canary/service.yaml 2024-11-22 16:44:31.408424750 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-canary
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/loki-canary/serviceaccount.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/loki-canary/serviceaccount.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/loki-canary/serviceaccount.yaml 2024-11-22 16:45:02.688250094 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/loki-canary/serviceaccount.yaml 2024-11-22 16:44:31.404424769 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-canary
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-1.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-1.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-1.yaml 2024-11-22 16:45:02.688250094 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-1.yaml 2024-11-22 16:44:31.404424769 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-dashboards-1
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-2.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-2.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-2.yaml 2024-11-22 16:45:02.688250094 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-2.yaml 2024-11-22 16:44:31.404424769 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-dashboards-2
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/monitoring/grafana-agent.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/monitoring/grafana-agent.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/monitoring/grafana-agent.yaml 2024-11-22 16:45:02.692250076 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/monitoring/grafana-agent.yaml 2024-11-22 16:44:31.408424750 +0000
@@ -60,9 +60,9 @@
metadata:
name: release-name-loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/falco/values-uibklab.yaml/sx-falco/charts/falco/templates/serviceaccount.yaml out/pr/falco/values-uibklab.yaml/sx-falco/charts/falco/templates/serviceaccount.yaml
--- out/target/falco/values-uibklab.yaml/sx-falco/charts/falco/templates/serviceaccount.yaml 2024-11-22 16:44:49.800318853 +0000
+++ out/pr/falco/values-uibklab.yaml/sx-falco/charts/falco/templates/serviceaccount.yaml 2024-11-22 16:44:18.260484015 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-falco
namespace: default
labels:
- helm.sh/chart: falco-4.11.1
+ helm.sh/chart: falco-4.14.1
app.kubernetes.io/name: falco
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "0.39.1"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/monitoring/logs-instance.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/monitoring/logs-instance.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/monitoring/logs-instance.yaml 2024-11-22 16:45:02.692250076 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/monitoring/logs-instance.yaml 2024-11-22 16:44:31.408424750 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/monitoring/pod-logs.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/monitoring/pod-logs.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/monitoring/pod-logs.yaml 2024-11-22 16:45:02.692250076 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/monitoring/pod-logs.yaml 2024-11-22 16:44:31.408424750 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/results-cache/service-results-cache-headless.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/results-cache/service-results-cache-headless.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/results-cache/service-results-cache-headless.yaml 2024-11-22 16:45:02.692250076 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/results-cache/service-results-cache-headless.yaml 2024-11-22 16:44:31.408424750 +0000
@@ -4,9 +4,9 @@
kind: Service
metadata:
name: release-name-loki-results-cache
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/results-cache/statefulset-results-cache.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/results-cache/statefulset-results-cache.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/results-cache/statefulset-results-cache.yaml 2024-11-22 16:45:02.692250076 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/results-cache/statefulset-results-cache.yaml 2024-11-22 16:44:31.408424750 +0000
@@ -4,9 +4,9 @@
kind: StatefulSet
metadata:
name: release-name-loki-results-cache
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/runtime-configmap.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/runtime-configmap.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/runtime-configmap.yaml 2024-11-22 16:45:02.688250094 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/runtime-configmap.yaml 2024-11-22 16:44:31.404424769 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-runtime
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/service-memberlist.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/service-memberlist.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/service-memberlist.yaml 2024-11-22 16:45:02.692250076 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/service-memberlist.yaml 2024-11-22 16:44:31.408424750 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-memberlist
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/serviceaccount.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/serviceaccount.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/serviceaccount.yaml 2024-11-22 16:45:02.688250094 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/serviceaccount.yaml 2024-11-22 16:44:31.404424769 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/single-binary/service-headless.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/single-binary/service-headless.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/single-binary/service-headless.yaml 2024-11-22 16:45:02.692250076 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/single-binary/service-headless.yaml 2024-11-22 16:44:31.408424750 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-headless
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/single-binary/service.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/single-binary/service.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/single-binary/service.yaml 2024-11-22 16:45:02.692250076 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/single-binary/service.yaml 2024-11-22 16:44:31.408424750 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/single-binary/statefulset.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/single-binary/statefulset.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/single-binary/statefulset.yaml 2024-11-22 16:45:02.692250076 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/single-binary/statefulset.yaml 2024-11-22 16:44:31.408424750 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
@@ -32,9 +32,9 @@
app.kubernetes.io/component: single-binary
template:
metadata:
annotations:
- checksum/config: 696c965508a81ca33542bb85cf1a934fed733dbec17e7e34ddf80a9921ba2475
+ checksum/config: 41c65b0f686d2a7a444393eafb6266573ad6265198ae3fde26fe7e6ab578146f
labels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: single-binary
diff -U 4 -r out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/clusterrole.yaml out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/clusterrole.yaml
--- out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/clusterrole.yaml 2024-11-22 16:44:52.096300186 +0000
+++ out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/clusterrole.yaml 2024-11-22 16:44:20.524473905 +0000
@@ -3,13 +3,12 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
name: release-name-grafana-clusterrole
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["configmaps", "secrets"]
diff -U 4 -r out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/tests/test-canary.yaml out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/tests/test-canary.yaml
--- out/target/loki/values-k3d.yaml/sx-loki/charts/loki/templates/tests/test-canary.yaml 2024-11-22 16:45:02.692250076 +0000
+++ out/pr/loki/values-k3d.yaml/sx-loki/charts/loki/templates/tests/test-canary.yaml 2024-11-22 16:44:31.408424750 +0000
@@ -5,9 +5,9 @@
metadata:
name: "loki-helm-test"
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/backend/clusterrole.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/backend/clusterrole.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/backend/clusterrole.yaml 2024-11-22 16:45:02.480251011 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/backend/clusterrole.yaml 2024-11-22 16:44:31.196425716 +0000
@@ -3,9 +3,9 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/backend/clusterrolebinding.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/backend/clusterrolebinding.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/backend/clusterrolebinding.yaml 2024-11-22 16:45:02.480251011 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/backend/clusterrolebinding.yaml 2024-11-22 16:44:31.200425697 +0000
@@ -4,9 +4,9 @@
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: release-name-loki-clusterrolebinding
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/config.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/config.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/config.yaml 2024-11-22 16:45:02.480251011 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/config.yaml 2024-11-22 16:44:31.196425716 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/gateway/configmap-gateway.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/gateway/configmap-gateway.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/gateway/configmap-gateway.yaml 2024-11-22 16:45:02.480251011 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/gateway/configmap-gateway.yaml 2024-11-22 16:44:31.196425716 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki-gateway
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/gateway/deployment-gateway-nginx.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/gateway/deployment-gateway-nginx.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/gateway/deployment-gateway-nginx.yaml 2024-11-22 16:45:02.484250994 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/gateway/deployment-gateway-nginx.yaml 2024-11-22 16:44:31.200425697 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki-gateway
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
@@ -24,9 +24,9 @@
app.kubernetes.io/component: gateway
template:
metadata:
annotations:
- checksum/config: e215354cf07ecff71fc2ce50866913c6b4b6366ced507bee88b7ca39de94d425
+ checksum/config: be4ab76f3040390f4a4b7572a6963da71a57a82a4453398a53c8f6e5045beadb
labels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: gateway
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/gateway/ingress-gateway.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/gateway/ingress-gateway.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/gateway/ingress-gateway.yaml 2024-11-22 16:45:02.484250994 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/gateway/ingress-gateway.yaml 2024-11-22 16:44:31.200425697 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki-gateway
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/gateway/service-gateway.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/gateway/service-gateway.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/gateway/service-gateway.yaml 2024-11-22 16:45:02.480251011 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/gateway/service-gateway.yaml 2024-11-22 16:44:31.200425697 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki-gateway
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/loki-canary/daemonset.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/loki-canary/daemonset.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/loki-canary/daemonset.yaml 2024-11-22 16:45:02.484250994 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/loki-canary/daemonset.yaml 2024-11-22 16:44:31.200425697 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-canary
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/loki-canary/service.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/loki-canary/service.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/loki-canary/service.yaml 2024-11-22 16:45:02.480251011 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/loki-canary/service.yaml 2024-11-22 16:44:31.200425697 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-canary
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/clusterrolebinding.yaml out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/clusterrolebinding.yaml
--- out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/clusterrolebinding.yaml 2024-11-22 16:44:52.096300186 +0000
+++ out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/clusterrolebinding.yaml 2024-11-22 16:44:20.524473905 +0000
@@ -4,13 +4,12 @@
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: release-name-grafana-clusterrolebinding
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
subjects:
- kind: ServiceAccount
name: release-name-grafana
namespace: default
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/loki-canary/serviceaccount.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/loki-canary/serviceaccount.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/loki-canary/serviceaccount.yaml 2024-11-22 16:45:02.480251011 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/loki-canary/serviceaccount.yaml 2024-11-22 16:44:31.196425716 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-canary
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-1.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-1.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-1.yaml 2024-11-22 16:45:02.480251011 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-1.yaml 2024-11-22 16:44:31.196425716 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-dashboards-1
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-2.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-2.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-2.yaml 2024-11-22 16:45:02.480251011 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-2.yaml 2024-11-22 16:44:31.196425716 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-dashboards-2
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/monitoring/grafana-agent.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/monitoring/grafana-agent.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/monitoring/grafana-agent.yaml 2024-11-22 16:45:02.484250994 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/monitoring/grafana-agent.yaml 2024-11-22 16:44:31.200425697 +0000
@@ -60,9 +60,9 @@
metadata:
name: release-name-loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/monitoring/logs-instance.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/monitoring/logs-instance.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/monitoring/logs-instance.yaml 2024-11-22 16:45:02.484250994 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/monitoring/logs-instance.yaml 2024-11-22 16:44:31.200425697 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/monitoring/pod-logs.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/monitoring/pod-logs.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/monitoring/pod-logs.yaml 2024-11-22 16:45:02.484250994 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/monitoring/pod-logs.yaml 2024-11-22 16:44:31.200425697 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/results-cache/service-results-cache-headless.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/results-cache/service-results-cache-headless.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/results-cache/service-results-cache-headless.yaml 2024-11-22 16:45:02.480251011 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/results-cache/service-results-cache-headless.yaml 2024-11-22 16:44:31.200425697 +0000
@@ -4,9 +4,9 @@
kind: Service
metadata:
name: release-name-loki-results-cache
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/results-cache/statefulset-results-cache.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/results-cache/statefulset-results-cache.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/results-cache/statefulset-results-cache.yaml 2024-11-22 16:45:02.484250994 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/results-cache/statefulset-results-cache.yaml 2024-11-22 16:44:31.200425697 +0000
@@ -4,9 +4,9 @@
kind: StatefulSet
metadata:
name: release-name-loki-results-cache
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/runtime-configmap.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/runtime-configmap.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/runtime-configmap.yaml 2024-11-22 16:45:02.480251011 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/runtime-configmap.yaml 2024-11-22 16:44:31.196425716 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-runtime
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/service-memberlist.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/service-memberlist.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/service-memberlist.yaml 2024-11-22 16:45:02.480251011 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/service-memberlist.yaml 2024-11-22 16:44:31.200425697 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-memberlist
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/configmap-dashboard-provider.yaml out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/configmap-dashboard-provider.yaml
--- out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/configmap-dashboard-provider.yaml 2024-11-22 16:44:52.096300186 +0000
+++ out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/configmap-dashboard-provider.yaml 2024-11-22 16:44:20.524473905 +0000
@@ -3,13 +3,12 @@
apiVersion: v1
kind: ConfigMap
metadata:
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
name: release-name-grafana-config-dashboards
namespace: default
data:
provider.yaml: |-
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/serviceaccount.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/serviceaccount.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/serviceaccount.yaml 2024-11-22 16:45:02.480251011 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/serviceaccount.yaml 2024-11-22 16:44:31.196425716 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/single-binary/service-headless.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/single-binary/service-headless.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/single-binary/service-headless.yaml 2024-11-22 16:45:02.480251011 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/single-binary/service-headless.yaml 2024-11-22 16:44:31.200425697 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-headless
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/single-binary/service.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/single-binary/service.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/single-binary/service.yaml 2024-11-22 16:45:02.484250994 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/single-binary/service.yaml 2024-11-22 16:44:31.200425697 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/single-binary/statefulset.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/single-binary/statefulset.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/single-binary/statefulset.yaml 2024-11-22 16:45:02.484250994 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/single-binary/statefulset.yaml 2024-11-22 16:44:31.200425697 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
@@ -32,9 +32,9 @@
app.kubernetes.io/component: single-binary
template:
metadata:
annotations:
- checksum/config: 5293e993334500c66482e039c53bd97c2feb355069756d3766c04b6ea1c82111
+ checksum/config: 5b5064caf3df643c20c16f26bd1302ab55499e44875c4dd9b71d537fb498aa0c
labels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: single-binary
diff -U 4 -r out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/tests/test-canary.yaml out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/tests/test-canary.yaml
--- out/target/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/tests/test-canary.yaml 2024-11-22 16:45:02.484250994 +0000
+++ out/pr/loki/values-metalstack.yaml/sx-loki/charts/loki/templates/tests/test-canary.yaml 2024-11-22 16:44:31.200425697 +0000
@@ -5,9 +5,9 @@
metadata:
name: "loki-helm-test"
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
Only in out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/charts: minio
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/backend/clusterrole.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/backend/clusterrole.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/backend/clusterrole.yaml 2024-11-22 16:45:02.900249159 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/backend/clusterrole.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -3,9 +3,9 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/backend/clusterrolebinding.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/backend/clusterrolebinding.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/backend/clusterrolebinding.yaml 2024-11-22 16:45:02.900249159 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/backend/clusterrolebinding.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -4,9 +4,9 @@
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: release-name-loki-clusterrolebinding
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/config.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/config.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/config.yaml 2024-11-22 16:45:02.896249177 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/config.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
@@ -28,14 +28,18 @@
path_prefix: /var/loki
replication_factor: 1
storage:
s3:
- access_key_id: enterprise-logs
- bucketnames: chunks
- endpoint: release-name-minio.default.svc:9000
- insecure: true
+ access_key_id: ${ACCESSKEYID}
+ bucketnames: ${BUCKETNAME}
+ endpoint: https://"${ENDPOINT}"
+ http_config:
+ ca_file: /var/loki-tls/ca.crt
+ insecure_skip_verify: false
+ insecure: false
+ region: us-east-1
s3forcepathstyle: true
- secret_access_key: supersecret
+ secret_access_key: ${SECRETACCESSKEY}
frontend:
scheduler_address: ""
tail_proxy_url: ""
frontend_worker:
@@ -75,9 +79,18 @@
update_interval: 1m
ruler:
storage:
s3:
- bucketnames: ruler
+ access_key_id: ${ACCESSKEYID}
+ bucketnames: ${BUCKETNAME}
+ endpoint: https://"${ENDPOINT}"
+ http_config:
+ ca_file: /var/loki-tls/ca.crt
+ insecure_skip_verify: false
+ insecure: false
+ region: us-east-1
+ s3forcepathstyle: true
+ secret_access_key: ${SECRETACCESSKEY}
type: s3
runtime_config:
file: /etc/loki/runtime-config/runtime-config.yaml
schema_config:
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/gateway/configmap-gateway.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/gateway/configmap-gateway.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/gateway/configmap-gateway.yaml 2024-11-22 16:45:02.896249177 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/gateway/configmap-gateway.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki-gateway
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/gateway/deployment-gateway-nginx.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/gateway/deployment-gateway-nginx.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/gateway/deployment-gateway-nginx.yaml 2024-11-22 16:45:02.900249159 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/gateway/deployment-gateway-nginx.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki-gateway
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
@@ -24,9 +24,9 @@
app.kubernetes.io/component: gateway
template:
metadata:
annotations:
- checksum/config: e215354cf07ecff71fc2ce50866913c6b4b6366ced507bee88b7ca39de94d425
+ checksum/config: be4ab76f3040390f4a4b7572a6963da71a57a82a4453398a53c8f6e5045beadb
labels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: gateway
diff -U 4 -r out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/configmap.yaml out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/configmap.yaml
--- out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/configmap.yaml 2024-11-22 16:44:52.096300186 +0000
+++ out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/configmap.yaml 2024-11-22 16:44:20.524473905 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
data:
grafana.ini: |
[analytics]
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/gateway/ingress-gateway.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/gateway/ingress-gateway.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/gateway/ingress-gateway.yaml 2024-11-22 16:45:02.900249159 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/gateway/ingress-gateway.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki-gateway
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/gateway/service-gateway.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/gateway/service-gateway.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/gateway/service-gateway.yaml 2024-11-22 16:45:02.900249159 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/gateway/service-gateway.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki-gateway
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/loki-canary/daemonset.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/loki-canary/daemonset.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/loki-canary/daemonset.yaml 2024-11-22 16:45:02.900249159 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/loki-canary/daemonset.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-canary
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/loki-canary/service.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/loki-canary/service.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/loki-canary/service.yaml 2024-11-22 16:45:02.900249159 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/loki-canary/service.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-canary
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/loki-canary/serviceaccount.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/loki-canary/serviceaccount.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/loki-canary/serviceaccount.yaml 2024-11-22 16:45:02.896249177 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/loki-canary/serviceaccount.yaml 2024-11-22 16:44:31.604423858 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-canary
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-1.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-1.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-1.yaml 2024-11-22 16:45:02.896249177 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-1.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-dashboards-1
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-2.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-2.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-2.yaml 2024-11-22 16:45:02.896249177 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/monitoring/dashboards/configmap-2.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-dashboards-2
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/monitoring/grafana-agent.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/monitoring/grafana-agent.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/monitoring/grafana-agent.yaml 2024-11-22 16:45:02.900249159 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/monitoring/grafana-agent.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -60,9 +60,9 @@
metadata:
name: release-name-loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/monitoring/logs-instance.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/monitoring/logs-instance.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/monitoring/logs-instance.yaml 2024-11-22 16:45:02.900249159 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/monitoring/logs-instance.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/monitoring/pod-logs.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/monitoring/pod-logs.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/monitoring/pod-logs.yaml 2024-11-22 16:45:02.900249159 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/monitoring/pod-logs.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/headless-service.yaml out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/headless-service.yaml
--- out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/headless-service.yaml 2024-11-22 16:44:52.096300186 +0000
+++ out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/headless-service.yaml 2024-11-22 16:44:20.524473905 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana-headless
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
spec:
clusterIP: None
selector:
app.kubernetes.io/name: grafana
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/results-cache/service-results-cache-headless.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/results-cache/service-results-cache-headless.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/results-cache/service-results-cache-headless.yaml 2024-11-22 16:45:02.900249159 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/results-cache/service-results-cache-headless.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -4,9 +4,9 @@
kind: Service
metadata:
name: release-name-loki-results-cache
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/results-cache/statefulset-results-cache.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/results-cache/statefulset-results-cache.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/results-cache/statefulset-results-cache.yaml 2024-11-22 16:45:02.900249159 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/results-cache/statefulset-results-cache.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -4,9 +4,9 @@
kind: StatefulSet
metadata:
name: release-name-loki-results-cache
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/runtime-configmap.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/runtime-configmap.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/runtime-configmap.yaml 2024-11-22 16:45:02.896249177 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/runtime-configmap.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-runtime
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/service-memberlist.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/service-memberlist.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/service-memberlist.yaml 2024-11-22 16:45:02.900249159 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/service-memberlist.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-memberlist
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/serviceaccount.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/serviceaccount.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/serviceaccount.yaml 2024-11-22 16:45:02.896249177 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/serviceaccount.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/single-binary/service-headless.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/single-binary/service-headless.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/single-binary/service-headless.yaml 2024-11-22 16:45:02.900249159 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/single-binary/service-headless.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -5,9 +5,9 @@
metadata:
name: loki-headless
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/single-binary/service.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/single-binary/service.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/single-binary/service.yaml 2024-11-22 16:45:02.900249159 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/single-binary/service.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/single-binary/statefulset.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/single-binary/statefulset.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/single-binary/statefulset.yaml 2024-11-22 16:45:02.900249159 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/single-binary/statefulset.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-loki
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
@@ -32,9 +32,9 @@
app.kubernetes.io/component: single-binary
template:
metadata:
annotations:
- checksum/config: 5293e993334500c66482e039c53bd97c2feb355069756d3766c04b6ea1c82111
+ checksum/config: 7f31a1fe150477e3cf19e7fcc319d949385ac08efbb5e0a222a3442b5e42dafc
labels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: single-binary
@@ -77,8 +77,9 @@
imagePullPolicy: IfNotPresent
args:
- -config.file=/etc/loki/config/config.yaml
- -target=all
+ - -config.expand-env=true
ports:
- name: http-metrics
containerPort: 3100
protocol: TCP
@@ -90,8 +91,11 @@
protocol: TCP
env:
- name: GOMEMLIMIT
value: 3750MiB
+ envFrom:
+ - secretRef:
+ name: loki-s3-credentials
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
@@ -113,8 +117,11 @@
- name: storage
mountPath: /var/loki
- name: sc-rules-volume
mountPath: "/rules"
+ - mountPath: /var/loki-tls
+ name: loki-s3-cert
+ readOnly: true
resources:
limits:
cpu: 3
memory: 4Gi
@@ -141,8 +148,11 @@
configMap:
name: loki-runtime
- name: sc-rules-volume
emptyDir: {}
+ - name: loki-s3-cert
+ secret:
+ secretName: loki-s3-cert
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
diff -U 4 -r out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/tests/test-canary.yaml out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/tests/test-canary.yaml
--- out/target/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/tests/test-canary.yaml 2024-11-22 16:45:02.900249159 +0000
+++ out/pr/loki/values-uibklab.yaml/sx-loki/charts/loki/templates/tests/test-canary.yaml 2024-11-22 16:44:31.608423840 +0000
@@ -5,9 +5,9 @@
metadata:
name: "loki-helm-test"
namespace: default
labels:
- helm.sh/chart: loki-6.18.0
+ helm.sh/chart: loki-6.19.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "3.2.0"
app.kubernetes.io/managed-by: Helm
Only in out/pr/loki/values-uibklab.yaml/sx-loki/templates: es-loki.yaml
Only in out/pr/loki/values-uibklab.yaml/sx-loki/templates: es-na-cert.yaml
Only in out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/charts: minio
diff -U 4 -r out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/alertmanager/alertmanager-statefulset.yaml out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/alertmanager/alertmanager-statefulset.yaml
--- out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/alertmanager/alertmanager-statefulset.yaml 2024-11-22 16:45:06.188238489 +0000
+++ out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/alertmanager/alertmanager-statefulset.yaml 2024-11-22 16:44:35.028395430 +0000
@@ -44,9 +44,9 @@
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: alertmanager
app.kubernetes.io/part-of: memberlist
annotations:
- checksum/config: fe4d9b3a1b3c0e27787f39eb0dc6cf66e0a82373e815397a270a715e290f125e
+ checksum/config: 57cb6b895b9a7135bc8c5d5f1c56c4bdd421e78deb9699c061af9451fdda3916
checksum/alertmanager-fallback-config: 9bc7a5ec47599dfd64c58602e29e3df2168cee53f6114fbf2a1885ebae2c9bcc
namespace: "default"
spec:
serviceAccountName: release-name-mimir
@@ -83,8 +83,12 @@
emptyDir: {}
- name: alertmanager-fallback-config
configMap:
name: release-name-mimir-alertmanager-fallback-config
+
+ - name: mimir-s3-cert
+ secret:
+ secretName: mimir-s3-cert
containers:
- name: alertmanager
image: "grafana/mimir:2.14.0"
imagePullPolicy: IfNotPresent
@@ -96,8 +100,12 @@
# timeout of 5 minutes, therefore the server timeout for Alertmanager
# needs to be higher to avoid connections being closed abruptly.
- "-server.http-idle-timeout=6m"
volumeMounts:
+
+ - mountPath: /var/mimir-tls
+ name: mimir-s3-cert
+ readOnly: true
- name: config
mountPath: /etc/mimir
- name: runtime-config
mountPath: /var/mimir
@@ -135,4 +143,7 @@
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
+ envFrom:
+ - secretRef:
+ name: mimir-s3-credentials
diff -U 4 -r out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/ingress.yaml out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/ingress.yaml
--- out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/ingress.yaml 2024-11-22 16:44:52.100300165 +0000
+++ out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/ingress.yaml 2024-11-22 16:44:20.524473905 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
spec:
tls:
- hosts:
- grafana-127-0-0-1.nip.io
diff -U 4 -r out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/compactor/compactor-statefulset.yaml out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/compactor/compactor-statefulset.yaml
--- out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/compactor/compactor-statefulset.yaml 2024-11-22 16:45:06.188238489 +0000
+++ out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/compactor/compactor-statefulset.yaml 2024-11-22 16:44:35.028395430 +0000
@@ -47,9 +47,9 @@
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: compactor
app.kubernetes.io/part-of: memberlist
annotations:
- checksum/config: fe4d9b3a1b3c0e27787f39eb0dc6cf66e0a82373e815397a270a715e290f125e
+ checksum/config: 57cb6b895b9a7135bc8c5d5f1c56c4bdd421e78deb9699c061af9451fdda3916
namespace: "default"
spec:
serviceAccountName: release-name-mimir
securityContext:
@@ -78,8 +78,12 @@
path: "mimir.yaml"
- name: runtime-config
configMap:
name: release-name-mimir-runtime
+
+ - name: mimir-s3-cert
+ secret:
+ secretName: mimir-s3-cert
- name: active-queries
emptyDir: {}
containers:
- name: compactor
@@ -89,8 +93,12 @@
- "-target=compactor"
- "-config.expand-env=true"
- "-config.file=/etc/mimir/mimir.yaml"
volumeMounts:
+
+ - mountPath: /var/mimir-tls
+ name: mimir-s3-cert
+ readOnly: true
- name: config
mountPath: /etc/mimir
- name: runtime-config
mountPath: /var/mimir
@@ -124,4 +132,7 @@
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
+ envFrom:
+ - secretRef:
+ name: mimir-s3-credentials
diff -U 4 -r out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/distributor/distributor-dep.yaml out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/distributor/distributor-dep.yaml
--- out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/distributor/distributor-dep.yaml 2024-11-22 16:45:06.188238489 +0000
+++ out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/distributor/distributor-dep.yaml 2024-11-22 16:44:35.028395430 +0000
@@ -38,9 +38,9 @@
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: distributor
app.kubernetes.io/part-of: memberlist
annotations:
- checksum/config: fe4d9b3a1b3c0e27787f39eb0dc6cf66e0a82373e815397a270a715e290f125e
+ checksum/config: 57cb6b895b9a7135bc8c5d5f1c56c4bdd421e78deb9699c061af9451fdda3916
namespace: "default"
spec:
serviceAccountName: release-name-mimir
securityContext:
@@ -65,8 +65,12 @@
- "-server.grpc.keepalive.max-connection-age-grace=5m"
- "-server.grpc.keepalive.max-connection-idle=1m"
- "-shutdown-delay=90s"
volumeMounts:
+
+ - mountPath: /var/mimir-tls
+ name: mimir-s3-cert
+ readOnly: true
- name: config
mountPath: /etc/mimir
- name: runtime-config
mountPath: /var/mimir
@@ -108,8 +112,11 @@
- name: "GOMAXPROCS"
value: "8"
- name: "JAEGER_REPORTER_MAX_QUEUE_SIZE"
value: "1000"
+ envFrom:
+ - secretRef:
+ name: mimir-s3-credentials
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
@@ -128,8 +135,11 @@
path: "mimir.yaml"
- name: runtime-config
configMap:
name: release-name-mimir-runtime
+ - name: mimir-s3-cert
+ secret:
+ secretName: mimir-s3-cert
- name: storage
emptyDir: {}
- name: active-queries
emptyDir: {}
diff -U 4 -r out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/ingester/ingester-statefulset.yaml out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/ingester/ingester-statefulset.yaml
--- out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/ingester/ingester-statefulset.yaml 2024-11-22 16:45:06.188238489 +0000
+++ out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/ingester/ingester-statefulset.yaml 2024-11-22 16:44:35.028395430 +0000
@@ -55,9 +55,9 @@
name: "ingester-zone-a"
rollout-group: ingester
zone: zone-a
annotations:
- checksum/config: fe4d9b3a1b3c0e27787f39eb0dc6cf66e0a82373e815397a270a715e290f125e
+ checksum/config: 57cb6b895b9a7135bc8c5d5f1c56c4bdd421e78deb9699c061af9451fdda3916
namespace: "default"
spec:
serviceAccountName: release-name-mimir
securityContext:
@@ -86,8 +86,12 @@
path: "mimir.yaml"
- name: runtime-config
configMap:
name: release-name-mimir-runtime
+
+ - name: mimir-s3-cert
+ secret:
+ secretName: mimir-s3-cert
- name: active-queries
emptyDir: {}
containers:
- name: ingester
@@ -98,8 +102,12 @@
- "-config.expand-env=true"
- "-config.file=/etc/mimir/mimir.yaml"
- "-ingester.ring.instance-availability-zone=zone-a"
volumeMounts:
+
+ - mountPath: /var/mimir-tls
+ name: mimir-s3-cert
+ readOnly: true
- name: config
mountPath: /etc/mimir
- name: runtime-config
mountPath: /var/mimir
@@ -142,8 +150,11 @@
- name: "GOMAXPROCS"
value: "4"
- name: "JAEGER_REPORTER_MAX_QUEUE_SIZE"
value: "1000"
+ envFrom:
+ - secretRef:
+ name: mimir-s3-credentials
---
# Source: sx-mimir/charts/mimir/templates/ingester/ingester-statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
@@ -200,9 +211,9 @@
name: "ingester-zone-b"
rollout-group: ingester
zone: zone-b
annotations:
- checksum/config: fe4d9b3a1b3c0e27787f39eb0dc6cf66e0a82373e815397a270a715e290f125e
+ checksum/config: 57cb6b895b9a7135bc8c5d5f1c56c4bdd421e78deb9699c061af9451fdda3916
namespace: "default"
spec:
serviceAccountName: release-name-mimir
securityContext:
@@ -231,8 +242,12 @@
path: "mimir.yaml"
- name: runtime-config
configMap:
name: release-name-mimir-runtime
+
+ - name: mimir-s3-cert
+ secret:
+ secretName: mimir-s3-cert
- name: active-queries
emptyDir: {}
containers:
- name: ingester
@@ -243,8 +258,12 @@
- "-config.expand-env=true"
- "-config.file=/etc/mimir/mimir.yaml"
- "-ingester.ring.instance-availability-zone=zone-b"
volumeMounts:
+
+ - mountPath: /var/mimir-tls
+ name: mimir-s3-cert
+ readOnly: true
- name: config
mountPath: /etc/mimir
- name: runtime-config
mountPath: /var/mimir
@@ -287,8 +306,11 @@
- name: "GOMAXPROCS"
value: "4"
- name: "JAEGER_REPORTER_MAX_QUEUE_SIZE"
value: "1000"
+ envFrom:
+ - secretRef:
+ name: mimir-s3-credentials
---
# Source: sx-mimir/charts/mimir/templates/ingester/ingester-statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
@@ -345,9 +367,9 @@
name: "ingester-zone-c"
rollout-group: ingester
zone: zone-c
annotations:
- checksum/config: fe4d9b3a1b3c0e27787f39eb0dc6cf66e0a82373e815397a270a715e290f125e
+ checksum/config: 57cb6b895b9a7135bc8c5d5f1c56c4bdd421e78deb9699c061af9451fdda3916
namespace: "default"
spec:
serviceAccountName: release-name-mimir
securityContext:
@@ -376,8 +398,12 @@
path: "mimir.yaml"
- name: runtime-config
configMap:
name: release-name-mimir-runtime
+
+ - name: mimir-s3-cert
+ secret:
+ secretName: mimir-s3-cert
- name: active-queries
emptyDir: {}
containers:
- name: ingester
@@ -388,8 +414,12 @@
- "-config.expand-env=true"
- "-config.file=/etc/mimir/mimir.yaml"
- "-ingester.ring.instance-availability-zone=zone-c"
volumeMounts:
+
+ - mountPath: /var/mimir-tls
+ name: mimir-s3-cert
+ readOnly: true
- name: config
mountPath: /etc/mimir
- name: runtime-config
mountPath: /var/mimir
@@ -432,4 +462,7 @@
- name: "GOMAXPROCS"
value: "4"
- name: "JAEGER_REPORTER_MAX_QUEUE_SIZE"
value: "1000"
+ envFrom:
+ - secretRef:
+ name: mimir-s3-credentials
diff -U 4 -r out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/mimir-config.yaml out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/mimir-config.yaml
--- out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/mimir-config.yaml 2024-11-22 16:45:06.184238492 +0000
+++ out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/mimir-config.yaml 2024-11-22 16:44:35.028395430 +0000
@@ -21,29 +21,33 @@
enable_api: true
external_url: /alertmanager
fallback_config_file: /configs/alertmanager_fallback_config.yaml
alertmanager_storage:
- backend: s3
s3:
- access_key_id: grafana-mimir
- bucket_name: mimir-ruler
- endpoint: release-name-minio.default.svc:9000
- insecure: true
- secret_access_key: supersecret
+ bucket_name: observability-stack-bucket
+ storage_prefix: alertmanager
blocks_storage:
backend: s3
bucket_store:
sync_dir: /data/tsdb-sync
s3:
- access_key_id: grafana-mimir
- bucket_name: mimir-tsdb
- endpoint: release-name-minio.default.svc:9000
- insecure: true
- secret_access_key: supersecret
+ bucket_name: observability-stack-bucket
+ storage_prefix: blocks
tsdb:
dir: /data/tsdb
head_compaction_interval: 15m
wal_replay_concurrency: 3
+ common:
+ storage:
+ backend: s3
+ s3:
+ access_key_id: ${ACCESSKEYID}
+ bucket_name: ${BUCKETNAME}
+ endpoint: ${ENDPOINT}
+ http:
+ tls_ca_path: /var/mimir-tls/ca.crt
+ insecure: false
+ secret_access_key: ${SECRETACCESSKEY}
compactor:
compaction_interval: 30m
data_dir: /data
deletion_delay: 2h
@@ -97,15 +101,11 @@
alertmanager_url: dnssrvnoa+http://_http-metrics._tcp.release-name-mimir-alertmanager-headless.default.svc.cluster.local./alertmanager
enable_api: true
rule_path: /data
ruler_storage:
- backend: s3
s3:
- access_key_id: grafana-mimir
- bucket_name: mimir-ruler
- endpoint: release-name-minio.default.svc:9000
- insecure: true
- secret_access_key: supersecret
+ bucket_name: observability-stack-bucket
+ storage_prefix: ruler
runtime_config:
file: /var/mimir/runtime.yaml
store_gateway:
sharding_ring:
diff -U 4 -r out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/minio/create-bucket-job.yaml out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/minio/create-bucket-job.yaml
--- out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/minio/create-bucket-job.yaml 2024-11-22 16:45:06.188238489 +0000
+++ out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/minio/create-bucket-job.yaml 2024-11-22 16:44:35.028395430 +0000
@@ -3,46 +3,4 @@
# Minio provides post-install hook to create bucket
# however the hook won't be executed if helm install is run
# with --wait flag. Hence this job is a workaround for that.
# See https://github.com/grafana/mimir/issues/2464
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: release-name-mimir-make-minio-buckets-5.2.0
- namespace: "default"
- labels:
- app: mimir-make-bucket-job
- chart: mimir-5.5.0
- release: release-name
- heritage: Helm
-spec:
- template:
- metadata:
- labels:
- app: mimir-job
- release: release-name
- spec:
- restartPolicy: OnFailure
- volumes:
- - name: minio-configuration
- projected:
- sources:
- - configMap:
- name: release-name-minio
- - secret:
- name: release-name-minio
- containers:
- - name: minio-mc
- image: "quay.io/minio/mc:RELEASE.2024-04-18T16-45-29Z"
- imagePullPolicy: IfNotPresent
- command: ["/bin/sh", "/config/initialize"]
- env:
- - name: MINIO_ENDPOINT
- value: release-name-minio
- - name: MINIO_PORT
- value: "9000"
- volumeMounts:
- - name: minio-configuration
- mountPath: /config
- resources:
- requests:
- memory: 128Mi
diff -U 4 -r out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/nginx/nginx-dep.yaml out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/nginx/nginx-dep.yaml
--- out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/nginx/nginx-dep.yaml 2024-11-22 16:45:06.188238489 +0000
+++ out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/nginx/nginx-dep.yaml 2024-11-22 16:44:35.028395430 +0000
@@ -55,8 +55,11 @@
ports:
- name: http-metric
containerPort: 8080
protocol: TCP
+ envFrom:
+ - secretRef:
+ name: mimir-s3-credentials
readinessProbe:
httpGet:
path: /
port: http-metric
@@ -75,8 +78,11 @@
- name: tmp
mountPath: /tmp
- name: docker-entrypoint-d-override
mountPath: /docker-entrypoint.d
+ - mountPath: /var/mimir-tls
+ name: mimir-s3-cert
+ readOnly: true
resources:
{}
topologySpreadConstraints:
- maxSkew: 1
@@ -94,4 +100,7 @@
- name: tmp
emptyDir: {}
- name: docker-entrypoint-d-override
emptyDir: {}
+ - name: mimir-s3-cert
+ secret:
+ secretName: mimir-s3-cert
diff -U 4 -r out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/overrides-exporter/overrides-exporter-dep.yaml out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/overrides-exporter/overrides-exporter-dep.yaml
--- out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/overrides-exporter/overrides-exporter-dep.yaml 2024-11-22 16:45:06.188238489 +0000
+++ out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/overrides-exporter/overrides-exporter-dep.yaml 2024-11-22 16:44:35.028395430 +0000
@@ -35,9 +35,9 @@
app.kubernetes.io/version: "2.14.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: overrides-exporter
annotations:
- checksum/config: fe4d9b3a1b3c0e27787f39eb0dc6cf66e0a82373e815397a270a715e290f125e
+ checksum/config: 57cb6b895b9a7135bc8c5d5f1c56c4bdd421e78deb9699c061af9451fdda3916
namespace: "default"
spec:
serviceAccountName: release-name-mimir
securityContext:
@@ -55,8 +55,12 @@
- "-target=overrides-exporter"
- "-config.expand-env=true"
- "-config.file=/etc/mimir/mimir.yaml"
volumeMounts:
+
+ - mountPath: /var/mimir-tls
+ name: mimir-s3-cert
+ readOnly: true
- name: config
mountPath: /etc/mimir
- name: runtime-config
mountPath: /var/mimir
@@ -90,8 +94,11 @@
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
+ envFrom:
+ - secretRef:
+ name: mimir-s3-credentials
terminationGracePeriodSeconds: 30
volumes:
- name: config
@@ -102,8 +109,12 @@
path: "mimir.yaml"
- name: runtime-config
configMap:
name: release-name-mimir-runtime
+
+ - name: mimir-s3-cert
+ secret:
+ secretName: mimir-s3-cert
- name: storage
emptyDir: {}
- name: active-queries
emptyDir: {}
diff -U 4 -r out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/querier/querier-dep.yaml out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/querier/querier-dep.yaml
--- out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/querier/querier-dep.yaml 2024-11-22 16:45:06.188238489 +0000
+++ out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/querier/querier-dep.yaml 2024-11-22 16:44:35.028395430 +0000
@@ -38,9 +38,9 @@
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: querier
app.kubernetes.io/part-of: memberlist
annotations:
- checksum/config: fe4d9b3a1b3c0e27787f39eb0dc6cf66e0a82373e815397a270a715e290f125e
+ checksum/config: 57cb6b895b9a7135bc8c5d5f1c56c4bdd421e78deb9699c061af9451fdda3916
spec:
serviceAccountName: release-name-mimir
securityContext:
fsGroup: 10001
@@ -57,8 +57,12 @@
- "-target=querier"
- "-config.expand-env=true"
- "-config.file=/etc/mimir/mimir.yaml"
volumeMounts:
+
+ - mountPath: /var/mimir-tls
+ name: mimir-s3-cert
+ readOnly: true
- name: config
mountPath: /etc/mimir
- name: runtime-config
mountPath: /var/mimir
@@ -97,8 +101,11 @@
- name: "GOMAXPROCS"
value: "5"
- name: "JAEGER_REPORTER_MAX_QUEUE_SIZE"
value: "5000"
+ envFrom:
+ - secretRef:
+ name: mimir-s3-credentials
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
@@ -117,8 +124,12 @@
path: "mimir.yaml"
- name: runtime-config
configMap:
name: release-name-mimir-runtime
+
+ - name: mimir-s3-cert
+ secret:
+ secretName: mimir-s3-cert
- name: storage
emptyDir: {}
- name: active-queries
emptyDir: {}
diff -U 4 -r out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/query-frontend/query-frontend-dep.yaml out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/query-frontend/query-frontend-dep.yaml
--- out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/query-frontend/query-frontend-dep.yaml 2024-11-22 16:45:06.188238489 +0000
+++ out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/query-frontend/query-frontend-dep.yaml 2024-11-22 16:44:35.028395430 +0000
@@ -36,9 +36,9 @@
app.kubernetes.io/version: "2.14.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: query-frontend
annotations:
- checksum/config: fe4d9b3a1b3c0e27787f39eb0dc6cf66e0a82373e815397a270a715e290f125e
+ checksum/config: 57cb6b895b9a7135bc8c5d5f1c56c4bdd421e78deb9699c061af9451fdda3916
namespace: "default"
spec:
serviceAccountName: release-name-mimir
securityContext:
@@ -59,8 +59,12 @@
# Reduce the likelihood of queries hitting terminated query-frontends.
- "-server.grpc.keepalive.max-connection-age=30s"
- "-shutdown-delay=90s"
volumeMounts:
+
+ - mountPath: /var/mimir-tls
+ name: mimir-s3-cert
+ readOnly: true
- name: runtime-config
mountPath: /var/mimir
- name: config
mountPath: /etc/mimir
@@ -94,8 +98,11 @@
readOnlyRootFilesystem: true
env:
- name: "JAEGER_REPORTER_MAX_QUEUE_SIZE"
value: "5000"
+ envFrom:
+ - secretRef:
+ name: mimir-s3-credentials
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
@@ -114,8 +121,12 @@
path: "mimir.yaml"
- name: runtime-config
configMap:
name: release-name-mimir-runtime
+
+ - name: mimir-s3-cert
+ secret:
+ secretName: mimir-s3-cert
- name: storage
emptyDir: {}
- name: active-queries
emptyDir: {}
diff -U 4 -r out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/query-scheduler/query-scheduler-dep.yaml out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/query-scheduler/query-scheduler-dep.yaml
--- out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/query-scheduler/query-scheduler-dep.yaml 2024-11-22 16:45:06.188238489 +0000
+++ out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/query-scheduler/query-scheduler-dep.yaml 2024-11-22 16:44:35.028395430 +0000
@@ -35,9 +35,9 @@
app.kubernetes.io/version: "2.14.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: query-scheduler
annotations:
- checksum/config: fe4d9b3a1b3c0e27787f39eb0dc6cf66e0a82373e815397a270a715e290f125e
+ checksum/config: 57cb6b895b9a7135bc8c5d5f1c56c4bdd421e78deb9699c061af9451fdda3916
spec:
serviceAccountName: release-name-mimir
securityContext:
fsGroup: 10001
@@ -54,8 +54,12 @@
- "-target=query-scheduler"
- "-config.expand-env=true"
- "-config.file=/etc/mimir/mimir.yaml"
volumeMounts:
+
+ - mountPath: /var/mimir-tls
+ name: mimir-s3-cert
+ readOnly: true
- name: runtime-config
mountPath: /var/mimir
- name: config
mountPath: /etc/mimir
@@ -86,8 +90,11 @@
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
+ envFrom:
+ - secretRef:
+ name: mimir-s3-credentials
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
@@ -106,8 +113,12 @@
path: "mimir.yaml"
- name: runtime-config
configMap:
name: release-name-mimir-runtime
+
+ - name: mimir-s3-cert
+ secret:
+ secretName: mimir-s3-cert
- name: storage
emptyDir: {}
- name: active-queries
emptyDir: {}
diff -U 4 -r out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/role.yaml out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/role.yaml
--- out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/role.yaml 2024-11-22 16:44:52.096300186 +0000
+++ out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/role.yaml 2024-11-22 16:44:20.524473905 +0000
@@ -5,10 +5,9 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
rules: []
diff -U 4 -r out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/ruler/ruler-dep.yaml out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/ruler/ruler-dep.yaml
--- out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/ruler/ruler-dep.yaml 2024-11-22 16:45:06.188238489 +0000
+++ out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/ruler/ruler-dep.yaml 2024-11-22 16:44:35.028395430 +0000
@@ -37,9 +37,9 @@
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: ruler
app.kubernetes.io/part-of: memberlist
annotations:
- checksum/config: fe4d9b3a1b3c0e27787f39eb0dc6cf66e0a82373e815397a270a715e290f125e
+ checksum/config: 57cb6b895b9a7135bc8c5d5f1c56c4bdd421e78deb9699c061af9451fdda3916
namespace: "default"
spec:
serviceAccountName: release-name-mimir
securityContext:
@@ -58,8 +58,12 @@
- "-config.expand-env=true"
- "-config.file=/etc/mimir/mimir.yaml"
- "-distributor.remote-timeout=10s"
volumeMounts:
+
+ - mountPath: /var/mimir-tls
+ name: mimir-s3-cert
+ readOnly: true
- name: config
mountPath: /etc/mimir
- name: runtime-config
mountPath: /var/mimir
@@ -96,8 +100,11 @@
readOnlyRootFilesystem: true
env:
- name: "JAEGER_REPORTER_MAX_QUEUE_SIZE"
value: "1000"
+ envFrom:
+ - secretRef:
+ name: mimir-s3-credentials
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
@@ -116,8 +123,12 @@
path: "mimir.yaml"
- name: runtime-config
configMap:
name: release-name-mimir-runtime
+
+ - name: mimir-s3-cert
+ secret:
+ secretName: mimir-s3-cert
- name: storage
emptyDir: {}
- name: active-queries
emptyDir: {}
diff -U 4 -r out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/smoke-test/smoke-test-job.yaml out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/smoke-test/smoke-test-job.yaml
--- out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/smoke-test/smoke-test-job.yaml 2024-11-22 16:45:06.188238489 +0000
+++ out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/smoke-test/smoke-test-job.yaml 2024-11-22 16:44:35.032395386 +0000
@@ -53,6 +53,17 @@
- "-tests.write-read-series-test.num-series=1000"
- "-tests.write-read-series-test.max-query-age=48h"
- "-server.http-listen-port=8080"
volumeMounts:
+
+ - mountPath: /var/mimir-tls
+ name: mimir-s3-cert
+ readOnly: true
+ envFrom:
+ - secretRef:
+ name: mimir-s3-credentials
restartPolicy: OnFailure
volumes:
+
+ - name: mimir-s3-cert
+ secret:
+ secretName: mimir-s3-cert |
Changes Rendered Chartdiff -U 4 -r out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/store-gateway/store-gateway-statefulset.yaml out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/store-gateway/store-gateway-statefulset.yaml
--- out/target/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/store-gateway/store-gateway-statefulset.yaml 2024-11-22 16:45:06.188238489 +0000
+++ out/pr/mimir/values-uibklab.yaml/sx-mimir/charts/mimir/templates/store-gateway/store-gateway-statefulset.yaml 2024-11-22 16:44:35.028395430 +0000
@@ -55,9 +55,9 @@
name: "store-gateway-zone-a"
rollout-group: store-gateway
zone: zone-a
annotations:
- checksum/config: fe4d9b3a1b3c0e27787f39eb0dc6cf66e0a82373e815397a270a715e290f125e
+ checksum/config: 57cb6b895b9a7135bc8c5d5f1c56c4bdd421e78deb9699c061af9451fdda3916
namespace: "default"
spec:
serviceAccountName: release-name-mimir
securityContext:
@@ -86,8 +86,12 @@
path: "mimir.yaml"
- name: runtime-config
configMap:
name: release-name-mimir-runtime
+
+ - name: mimir-s3-cert
+ secret:
+ secretName: mimir-s3-cert
- name: active-queries
emptyDir: {}
containers:
- name: store-gateway
@@ -98,8 +102,12 @@
- "-config.expand-env=true"
- "-config.file=/etc/mimir/mimir.yaml"
- "-store-gateway.sharding-ring.instance-availability-zone=zone-a"
volumeMounts:
+
+ - mountPath: /var/mimir-tls
+ name: mimir-s3-cert
+ readOnly: true
- name: config
mountPath: /etc/mimir
- name: runtime-config
mountPath: /var/mimir
@@ -140,8 +148,11 @@
- name: "GOMEMLIMIT"
value: "536870912"
- name: "JAEGER_REPORTER_MAX_QUEUE_SIZE"
value: "1000"
+ envFrom:
+ - secretRef:
+ name: mimir-s3-credentials
---
# Source: sx-mimir/charts/mimir/templates/store-gateway/store-gateway-statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
@@ -198,9 +209,9 @@
name: "store-gateway-zone-b"
rollout-group: store-gateway
zone: zone-b
annotations:
- checksum/config: fe4d9b3a1b3c0e27787f39eb0dc6cf66e0a82373e815397a270a715e290f125e
+ checksum/config: 57cb6b895b9a7135bc8c5d5f1c56c4bdd421e78deb9699c061af9451fdda3916
namespace: "default"
spec:
serviceAccountName: release-name-mimir
securityContext:
@@ -229,8 +240,12 @@
path: "mimir.yaml"
- name: runtime-config
configMap:
name: release-name-mimir-runtime
+
+ - name: mimir-s3-cert
+ secret:
+ secretName: mimir-s3-cert
- name: active-queries
emptyDir: {}
containers:
- name: store-gateway
@@ -241,8 +256,12 @@
- "-config.expand-env=true"
- "-config.file=/etc/mimir/mimir.yaml"
- "-store-gateway.sharding-ring.instance-availability-zone=zone-b"
volumeMounts:
+
+ - mountPath: /var/mimir-tls
+ name: mimir-s3-cert
+ readOnly: true
- name: config
mountPath: /etc/mimir
- name: runtime-config
mountPath: /var/mimir
@@ -283,8 +302,11 @@
- name: "GOMEMLIMIT"
value: "536870912"
- name: "JAEGER_REPORTER_MAX_QUEUE_SIZE"
value: "1000"
+ envFrom:
+ - secretRef:
+ name: mimir-s3-credentials
---
# Source: sx-mimir/charts/mimir/templates/store-gateway/store-gateway-statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
@@ -341,9 +363,9 @@
name: "store-gateway-zone-c"
rollout-group: store-gateway
zone: zone-c
annotations:
- checksum/config: fe4d9b3a1b3c0e27787f39eb0dc6cf66e0a82373e815397a270a715e290f125e
+ checksum/config: 57cb6b895b9a7135bc8c5d5f1c56c4bdd421e78deb9699c061af9451fdda3916
namespace: "default"
spec:
serviceAccountName: release-name-mimir
securityContext:
@@ -372,8 +394,12 @@
path: "mimir.yaml"
- name: runtime-config
configMap:
name: release-name-mimir-runtime
+
+ - name: mimir-s3-cert
+ secret:
+ secretName: mimir-s3-cert
- name: active-queries
emptyDir: {}
containers:
- name: store-gateway
@@ -384,8 +410,12 @@
- "-config.expand-env=true"
- "-config.file=/etc/mimir/mimir.yaml"
- "-store-gateway.sharding-ring.instance-availability-zone=zone-c"
volumeMounts:
+
+ - mountPath: /var/mimir-tls
+ name: mimir-s3-cert
+ readOnly: true
- name: config
mountPath: /etc/mimir
- name: runtime-config
mountPath: /var/mimir
@@ -426,4 +456,7 @@
- name: "GOMEMLIMIT"
value: "536870912"
- name: "JAEGER_REPORTER_MAX_QUEUE_SIZE"
value: "1000"
+ envFrom:
+ - secretRef:
+ name: mimir-s3-credentials
Only in out/pr/mimir/values-uibklab.yaml/sx-mimir/templates: es-mimir.yaml
Only in out/pr/mimir/values-uibklab.yaml/sx-mimir/templates: es-na-cert.yaml
diff -U 4 -r out/target/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/configmap-tempo-query.yaml out/pr/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/configmap-tempo-query.yaml
--- out/target/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/configmap-tempo-query.yaml 2024-11-22 16:45:08.832236117 +0000
+++ out/pr/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/configmap-tempo-query.yaml 2024-11-22 16:44:37.560379023 +0000
@@ -5,9 +5,9 @@
metadata:
name: tempo-query
namespace: default
labels:
- helm.sh/chart: tempo-1.10.3
+ helm.sh/chart: tempo-1.11.0
app.kubernetes.io/name: tempo
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "2.5.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/configmap-tempo.yaml out/pr/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/configmap-tempo.yaml
--- out/target/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/configmap-tempo.yaml 2024-11-22 16:45:08.832236117 +0000
+++ out/pr/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/configmap-tempo.yaml 2024-11-22 16:44:37.560379023 +0000
@@ -5,9 +5,9 @@
metadata:
name: tempo
namespace: default
labels:
- helm.sh/chart: tempo-1.10.3
+ helm.sh/chart: tempo-1.11.0
app.kubernetes.io/name: tempo
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "2.5.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/service.yaml out/pr/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/service.yaml
--- out/target/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/service.yaml 2024-11-22 16:45:08.832236117 +0000
+++ out/pr/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/service.yaml 2024-11-22 16:44:37.560379023 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-tempo
namespace: default
labels:
- helm.sh/chart: tempo-1.10.3
+ helm.sh/chart: tempo-1.11.0
app.kubernetes.io/name: tempo
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "2.5.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/serviceaccount.yaml out/pr/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/serviceaccount.yaml
--- out/target/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/serviceaccount.yaml 2024-11-22 16:45:08.832236117 +0000
+++ out/pr/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/serviceaccount.yaml 2024-11-22 16:44:37.560379023 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-tempo
namespace: default
labels:
- helm.sh/chart: tempo-1.10.3
+ helm.sh/chart: tempo-1.11.0
app.kubernetes.io/name: tempo
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "2.5.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/servicemonitor.yaml out/pr/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/servicemonitor.yaml
--- out/target/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/servicemonitor.yaml 2024-11-22 16:45:08.832236117 +0000
+++ out/pr/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/servicemonitor.yaml 2024-11-22 16:44:37.560379023 +0000
@@ -5,15 +5,15 @@
metadata:
name: release-name-tempo
labels:
app: tempo
- chart: tempo-1.10.3
+ chart: tempo-1.11.0
release: release-name
heritage: Helm
spec:
selector:
matchLabels:
- helm.sh/chart: tempo-1.10.3
+ helm.sh/chart: tempo-1.11.0
app.kubernetes.io/name: tempo
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "2.5.0"
app.kubernetes.io/managed-by: Helm
diff -U 4 -r out/target/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/statefulset.yaml out/pr/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/statefulset.yaml
--- out/target/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/statefulset.yaml 2024-11-22 16:45:08.832236117 +0000
+++ out/pr/tempo/values-k3d.yaml/sx-tempo/charts/tempo/templates/statefulset.yaml 2024-11-22 16:44:37.560379023 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-tempo
namespace: default
labels:
- helm.sh/chart: tempo-1.10.3
+ helm.sh/chart: tempo-1.11.0
app.kubernetes.io/name: tempo
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "2.5.0"
app.kubernetes.io/managed-by: Helm
@@ -23,9 +23,9 @@
labels:
app.kubernetes.io/name: tempo
app.kubernetes.io/instance: release-name
annotations:
- checksum/config: 4dca0f11d1108f5b0a2b2275727ad8d60ad97c99bd94b90a8ed8e8c9d829a69a
+ checksum/config: 027b2fd3395f02b8dc5efa430a0013f3409e5231dfae25dc32e2e6174e0b7995
spec:
serviceAccountName: release-name-tempo
automountServiceAccountToken: true
containers:
diff -U 4 -r out/target/vault/values-k3d.yaml/sx-vault/charts/vault/templates/server-statefulset.yaml out/pr/vault/values-k3d.yaml/sx-vault/charts/vault/templates/server-statefulset.yaml
--- out/target/vault/values-k3d.yaml/sx-vault/charts/vault/templates/server-statefulset.yaml 2024-11-22 16:45:09.872235057 +0000
+++ out/pr/vault/values-k3d.yaml/sx-vault/charts/vault/templates/server-statefulset.yaml 2024-11-22 16:44:38.896372959 +0000
@@ -30,18 +30,8 @@
component: server
annotations:
spec:
- affinity:
- podAntiAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: vault
- app.kubernetes.io/instance: "release-name"
- component: server
- topologyKey: kubernetes.io/hostname
-
terminationGracePeriodSeconds: 10
@@ -64,8 +54,12 @@
- name: vault-root-token
secret:
optional: true
secretName: vault-init
+ - name: vault-ca-cert
+ secret:
+ defaultMode: 420
+ secretName: ca-cert
- name: home
emptyDir: {}
initContainers:
@@ -150,8 +144,10 @@
- name: HOME
value: "/home/vault"
+ - name: "VAULT_CACERT"
+ value: "/vault/userconfig/vault-ca/ca.crt"
volumeMounts:
- name: audit
@@ -169,8 +165,11 @@
- mountPath: /usr/local/libexec/vault
name: plugins
readOnly: false
+ - mountPath: /vault/userconfig/vault-ca
+ name: vault-ca-cert
+ readOnly: true
- name: home
mountPath: /home/vault
ports:
- containerPort: 8200
@@ -270,8 +269,36 @@
name: vault-root-token
- command:
- /bin/sh
- -c
+ - |
+ while true; do
+ echo "waiting for tomorrow :-)"
+ sleep 86400 # Runs daily, after 1 day
+ echo "Truncating log file..."
+ truncate -s 0 /vault/audit/audit.log
+ done
+ env:
+ - name: VAULT_ADDR
+ valueFrom:
+ secretKeyRef:
+ key: VAULT_ADDR
+ name: sx-vault-env-vars
+ image: hashicorp/vault:1.17.2
+ name: audit-cleanup
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ runAsNonRoot: true
+ volumeMounts:
+ - mountPath: /vault-root-token
+ name: vault-root-token
+ - command:
+ - /bin/sh
+ - -c
- "while true; do\n sleep 10\n if [ -f /vault-root-token/root_token ]; then\n
\ export VAULT_TOKEN=$(cat /vault-root-token/root_token)\n VAULT_STATUS=$(vault
status)\n if echo \"$VAULT_STATUS\" | grep -q \"Sealed.*false\"; then\n if
[ ! $(vault read identity/group/name/admins) ]; then\n\n # kubernetes\n
@@ -284,9 +311,13 @@
\ /usr/local/libexec/vault/kubectl create secret generic crossplane-init
-n vault --from-literal=credentials='{\"token\":\"'${CROSSPLANETOKEN}'\"}' \n
\ vault write auth/kubernetes/role/crossplane bound_service_account_names=\"*\"
bound_service_account_namespaces=crossplane policies=crossplane ttl=24h \n\n
- \ else \n # workaround due to #422\n if [ ! $(vault list identity/group-alias/id)
+ \ else \n\n # due to #405\n if [ ! $(vault read auth/oidc/config)
+ ]; then\n vault auth enable oidc\n vault write auth/oidc/config
+ oidc_discovery_url=\"https://keycloak-127-0-0-1.nip.io/realms/sx-cnp-oss\" oidc_client_id=\"vault\"
+ oidc_client_secret=\"demosecret\" default_role=\"default\" oidc_discovery_ca_pem=@/vault/userconfig/vault-ca/ca.crt\n
+ \ fi\n\n # workaround due to #422\n if [ ! $(vault list identity/group-alias/id)
]; then\n echo vault admins group configured, just updating group aliases\n
\ vault list identity/group/name\n acc=$(vault auth list -format=json
| /usr/local/libexec/vault/jq -r '.[\"oidc/\"].accessor')\n vault list
identity/group/name |grep -A10 -- '----' |tail -n +2 | while read groupname ;
@@ -321,8 +352,11 @@
- mountPath: /vault-root-token
name: vault-root-token
- mountPath: /usr/local/libexec/vault
name: plugins
+ - mountPath: /vault/userconfig/vault-ca
+ name: vault-ca-cert
+ readOnly: true
volumeClaimTemplates:
- metadata:
diff -U 4 -r out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/rolebinding.yaml out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/rolebinding.yaml
--- out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/rolebinding.yaml 2024-11-22 16:44:52.096300186 +0000
+++ out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/rolebinding.yaml 2024-11-22 16:44:20.524473905 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: release-name-grafana
diff -U 4 -r out/target/vault/values-k3d.yaml/sx-vault/charts/vault/templates/tests/server-test.yaml out/pr/vault/values-k3d.yaml/sx-vault/charts/vault/templates/tests/server-test.yaml
--- out/target/vault/values-k3d.yaml/sx-vault/charts/vault/templates/tests/server-test.yaml 2024-11-22 16:45:09.872235057 +0000
+++ out/pr/vault/values-k3d.yaml/sx-vault/charts/vault/templates/tests/server-test.yaml 2024-11-22 16:44:38.896372959 +0000
@@ -16,8 +16,10 @@
env:
- name: VAULT_ADDR
value: http://release-name-vault.default.svc:8200
+ - name: "VAULT_CACERT"
+ value: "/vault/userconfig/vault-ca/ca.crt"
command:
- /bin/sh
- -c
- |
@@ -40,12 +42,19 @@
volumeMounts:
- mountPath: /usr/local/libexec/vault
name: plugins
readOnly: false
+ - mountPath: /vault/userconfig/vault-ca
+ name: vault-ca-cert
+ readOnly: true
volumes:
- emptyDir: {}
name: plugins
- name: vault-root-token
secret:
optional: true
secretName: vault-init
+ - name: vault-ca-cert
+ secret:
+ defaultMode: 420
+ secretName: ca-cert
restartPolicy: Never
diff -U 4 -r out/target/vault/values-k3d.yaml/sx-vault/templates/crossplane/cp-authbackend-oidc.yaml out/pr/vault/values-k3d.yaml/sx-vault/templates/crossplane/cp-authbackend-oidc.yaml
--- out/target/vault/values-k3d.yaml/sx-vault/templates/crossplane/cp-authbackend-oidc.yaml 2024-11-22 16:45:09.872235057 +0000
+++ out/pr/vault/values-k3d.yaml/sx-vault/templates/crossplane/cp-authbackend-oidc.yaml 2024-11-22 16:44:38.896372959 +0000
@@ -13,28 +13,9 @@
# forProvider:
# type: oidc
# path: oidc
#---
-apiVersion: jwt.vault.upbound.io/v1alpha1
-kind: AuthBackend
-metadata:
- name: oidc-backend
- annotations:
- argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
-spec:
- providerConfigRef:
- name: vault-crossplane-providerconfig
- forProvider:
- oidcDiscoveryUrl: "https://keycloak-127-0-0-1.nip.io/realms/sx-cnp-oss"
- oidcClientId: vault
- defaultRole: default
- oidcClientSecretSecretRef:
- name: sx-vault-demosecret
- key: demosecret
- namespace: vault
- type: oidc
- path: oidc
+#issue opened https://github.com/upbound/provider-vault/issues/45 - oidcDiscoveryCaPem should be referenced with @oidcDiscoveryCaPem
# tune not working?
---
# Source: sx-vault/templates/crossplane/cp-authbackend-oidc.yaml
apiVersion: jwt.vault.upbound.io/v1alpha1
@@ -42,9 +23,9 @@
metadata:
name: oidc-backend-role
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "4"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
diff -U 4 -r out/target/vault/values-k3d.yaml/sx-vault/templates/crossplane/cp-group-sx-cnp-oss.yaml out/pr/vault/values-k3d.yaml/sx-vault/templates/crossplane/cp-group-sx-cnp-oss.yaml
--- out/target/vault/values-k3d.yaml/sx-vault/templates/crossplane/cp-group-sx-cnp-oss.yaml 2024-11-22 16:45:09.872235057 +0000
+++ out/pr/vault/values-k3d.yaml/sx-vault/templates/crossplane/cp-group-sx-cnp-oss.yaml 2024-11-22 16:44:38.896372959 +0000
@@ -5,9 +5,9 @@
metadata:
name: admins
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "2" # last item - for initcontainer check, until accessor id is available via crossplane plugin
+ argocd.argoproj.io/sync-wave: "6" # last item - for initcontainer check, until accessor id is available via crossplane plugin
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
@@ -24,9 +24,9 @@
metadata:
name: users
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "5"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
@@ -43,9 +43,9 @@
metadata:
name: team1
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "5"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
diff -U 4 -r out/target/vault/values-k3d.yaml/sx-vault/templates/crossplane/cp-pol-sx-cnp-oss.yaml out/pr/vault/values-k3d.yaml/sx-vault/templates/crossplane/cp-pol-sx-cnp-oss.yaml
--- out/target/vault/values-k3d.yaml/sx-vault/templates/crossplane/cp-pol-sx-cnp-oss.yaml 2024-11-22 16:45:09.872235057 +0000
+++ out/pr/vault/values-k3d.yaml/sx-vault/templates/crossplane/cp-pol-sx-cnp-oss.yaml 2024-11-22 16:44:38.896372959 +0000
@@ -5,9 +5,9 @@
metadata:
name: crossplane
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "2"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
@@ -26,9 +26,9 @@
metadata:
name: vault-admin
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "2"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
@@ -44,9 +44,9 @@
metadata:
name: users
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "2"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
@@ -65,9 +65,9 @@
metadata:
name: team1
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "2"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
diff -U 4 -r out/target/vault/values-k3d.yaml/sx-vault/templates/crossplane/cp-secret-kv2.yaml out/pr/vault/values-k3d.yaml/sx-vault/templates/crossplane/cp-secret-kv2.yaml
--- out/target/vault/values-k3d.yaml/sx-vault/templates/crossplane/cp-secret-kv2.yaml 2024-11-22 16:45:09.872235057 +0000
+++ out/pr/vault/values-k3d.yaml/sx-vault/templates/crossplane/cp-secret-kv2.yaml 2024-11-22 16:44:38.896372959 +0000
@@ -5,9 +5,9 @@
metadata:
name: sx-cnp-oss-kv
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "-2"
+ argocd.argoproj.io/sync-wave: "1"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
@@ -23,9 +23,9 @@
metadata:
name: example
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "-1"
+ argocd.argoproj.io/sync-wave: "2"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
diff -U 4 -r out/target/vault/values-k3d.yaml/sx-vault/templates/crossplane/cp-secretv2.yaml out/pr/vault/values-k3d.yaml/sx-vault/templates/crossplane/cp-secretv2.yaml
--- out/target/vault/values-k3d.yaml/sx-vault/templates/crossplane/cp-secretv2.yaml 2024-11-22 16:45:09.872235057 +0000
+++ out/pr/vault/values-k3d.yaml/sx-vault/templates/crossplane/cp-secretv2.yaml 2024-11-22 16:44:38.896372959 +0000
@@ -5,9 +5,9 @@
metadata:
name: team1
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "3"
spec:
forProvider:
name: team1
# cas: 2 #not working
@@ -31,9 +31,9 @@
metadata:
name: users
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "3"
spec:
forProvider:
name: users
# cas: 2 #not working
@@ -57,9 +57,9 @@
metadata:
name: minio
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "3"
spec:
forProvider:
name: demo/minio
# cas: 2 #not working
@@ -83,9 +83,9 @@
metadata:
name: loginuser
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "3"
spec:
forProvider:
name: demo/loginuser
# cas: 2 #not working
@@ -109,9 +109,9 @@
metadata:
name: velero-ui
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "3"
spec:
forProvider:
name: demo/velero-ui
# cas: 2 #not working
@@ -134,9 +134,9 @@
metadata:
name: cnpg
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "3"
spec:
forProvider:
name: demo/cnpg
# cas: 2 #not working
Only in out/target/vault/values-k3d.yaml/sx-vault/templates: truncate-audit-log.yaml
diff -U 4 -r out/target/vault/values-uibklab.yaml/sx-vault/charts/vault/templates/server-statefulset.yaml out/pr/vault/values-uibklab.yaml/sx-vault/charts/vault/templates/server-statefulset.yaml
--- out/target/vault/values-uibklab.yaml/sx-vault/charts/vault/templates/server-statefulset.yaml 2024-11-22 16:45:09.944234714 +0000
+++ out/pr/vault/values-uibklab.yaml/sx-vault/charts/vault/templates/server-statefulset.yaml 2024-11-22 16:44:38.968372633 +0000
@@ -30,18 +30,8 @@
component: server
annotations:
spec:
- affinity:
- podAntiAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: vault
- app.kubernetes.io/instance: "release-name"
- component: server
- topologyKey: kubernetes.io/hostname
-
terminationGracePeriodSeconds: 10
@@ -240,8 +230,36 @@
name: plugins
- command:
- /bin/sh
- -c
+ - |
+ while true; do
+ echo "waiting for tomorrow :-)"
+ sleep 86400 # Runs daily, after 1 day
+ echo "Truncating log file..."
+ truncate -s 0 /vault/audit/audit.log
+ done
+ env:
+ - name: VAULT_ADDR
+ valueFrom:
+ secretKeyRef:
+ key: VAULT_ADDR
+ name: sx-vault-env-vars
+ image: hashicorp/vault:1.17.2
+ name: audit-cleanup
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ runAsNonRoot: true
+ volumeMounts:
+ - mountPath: /vault-root-token
+ name: vault-root-token
+ - command:
+ - /bin/sh
+ - -c
- "while true; do\n sleep 10\n VAULT_STATUS=$(vault status)\n if echo \"$VAULT_STATUS\"
| grep -q \"Initialized.*false\" && [ $HOSTNAME != 'sx-vault-0' ]; then\n echo
joining raft cluster\n vault operator raft join http://sx-vault-0.sx-vault-internal:8200\n
\ sleep 5\n fi \n if echo \"$VAULT_STATUS\" | grep -q \"Initialized.*true\";
diff -U 4 -r out/target/vault/values-uibklab.yaml/sx-vault/templates/crossplane/cp-authbackend-oidc.yaml out/pr/vault/values-uibklab.yaml/sx-vault/templates/crossplane/cp-authbackend-oidc.yaml
--- out/target/vault/values-uibklab.yaml/sx-vault/templates/crossplane/cp-authbackend-oidc.yaml 2024-11-22 16:45:09.944234714 +0000
+++ out/pr/vault/values-uibklab.yaml/sx-vault/templates/crossplane/cp-authbackend-oidc.yaml 2024-11-22 16:44:38.968372633 +0000
@@ -13,15 +13,16 @@
# forProvider:
# type: oidc
# path: oidc
#---
+#issue opened https://github.com/upbound/provider-vault/issues/45 - oidcDiscoveryCaPem should be referenced with @oidcDiscoveryCaPem
apiVersion: jwt.vault.upbound.io/v1alpha1
kind: AuthBackend
metadata:
name: oidc-backend
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "3"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
@@ -33,8 +34,9 @@
key: demosecret
namespace: vault
type: oidc
path: oidc
+ # oidcDiscoveryCaPem: "/vault/userconfig/vault-ca/ca.crt"
# tune not working?
---
# Source: sx-vault/templates/crossplane/cp-authbackend-oidc.yaml
apiVersion: jwt.vault.upbound.io/v1alpha1
@@ -42,9 +44,9 @@
metadata:
name: oidc-backend-role
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "4"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
diff -U 4 -r out/target/vault/values-uibklab.yaml/sx-vault/templates/crossplane/cp-group-sx-cnp-oss.yaml out/pr/vault/values-uibklab.yaml/sx-vault/templates/crossplane/cp-group-sx-cnp-oss.yaml
--- out/target/vault/values-uibklab.yaml/sx-vault/templates/crossplane/cp-group-sx-cnp-oss.yaml 2024-11-22 16:45:09.944234714 +0000
+++ out/pr/vault/values-uibklab.yaml/sx-vault/templates/crossplane/cp-group-sx-cnp-oss.yaml 2024-11-22 16:44:38.968372633 +0000
@@ -5,9 +5,9 @@
metadata:
name: admins
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "2" # last item - for initcontainer check, until accessor id is available via crossplane plugin
+ argocd.argoproj.io/sync-wave: "6" # last item - for initcontainer check, until accessor id is available via crossplane plugin
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
@@ -24,9 +24,9 @@
metadata:
name: users
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "5"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
@@ -43,9 +43,9 @@
metadata:
name: team1
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "5"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
diff -U 4 -r out/target/vault/values-uibklab.yaml/sx-vault/templates/crossplane/cp-pol-sx-cnp-oss.yaml out/pr/vault/values-uibklab.yaml/sx-vault/templates/crossplane/cp-pol-sx-cnp-oss.yaml
--- out/target/vault/values-uibklab.yaml/sx-vault/templates/crossplane/cp-pol-sx-cnp-oss.yaml 2024-11-22 16:45:09.944234714 +0000
+++ out/pr/vault/values-uibklab.yaml/sx-vault/templates/crossplane/cp-pol-sx-cnp-oss.yaml 2024-11-22 16:44:38.968372633 +0000
@@ -5,9 +5,9 @@
metadata:
name: crossplane
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "2"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
@@ -26,9 +26,9 @@
metadata:
name: vault-admin
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "2"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
@@ -44,9 +44,9 @@
metadata:
name: users
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "2"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
@@ -65,9 +65,9 @@
metadata:
name: team1
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "2"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
diff -U 4 -r out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/secret.yaml out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/secret.yaml
--- out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/secret.yaml 2024-11-22 16:44:52.096300186 +0000
+++ out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/secret.yaml 2024-11-22 16:44:20.520473922 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
type: Opaque
data:
admin-user: "YWRtaW4="
diff -U 4 -r out/target/vault/values-uibklab.yaml/sx-vault/templates/crossplane/cp-secret-kv2.yaml out/pr/vault/values-uibklab.yaml/sx-vault/templates/crossplane/cp-secret-kv2.yaml
--- out/target/vault/values-uibklab.yaml/sx-vault/templates/crossplane/cp-secret-kv2.yaml 2024-11-22 16:45:09.944234714 +0000
+++ out/pr/vault/values-uibklab.yaml/sx-vault/templates/crossplane/cp-secret-kv2.yaml 2024-11-22 16:44:38.968372633 +0000
@@ -5,9 +5,9 @@
metadata:
name: sx-cnp-oss-kv
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "-2"
+ argocd.argoproj.io/sync-wave: "1"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
@@ -23,9 +23,9 @@
metadata:
name: example
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "-1"
+ argocd.argoproj.io/sync-wave: "2"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
diff -U 4 -r out/target/vault/values-uibklab.yaml/sx-vault/templates/crossplane/cp-secretv2.yaml out/pr/vault/values-uibklab.yaml/sx-vault/templates/crossplane/cp-secretv2.yaml
--- out/target/vault/values-uibklab.yaml/sx-vault/templates/crossplane/cp-secretv2.yaml 2024-11-22 16:45:09.944234714 +0000
+++ out/pr/vault/values-uibklab.yaml/sx-vault/templates/crossplane/cp-secretv2.yaml 2024-11-22 16:44:38.968372633 +0000
@@ -5,9 +5,9 @@
metadata:
name: team1
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "3"
spec:
forProvider:
name: team1
# cas: 2 #not working
@@ -31,9 +31,9 @@
metadata:
name: users
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "3"
spec:
forProvider:
name: users
# cas: 2 #not working
@@ -57,9 +57,9 @@
metadata:
name: minio
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "3"
spec:
forProvider:
name: demo/minio
# cas: 2 #not working
@@ -83,9 +83,9 @@
metadata:
name: loginuser
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "3"
spec:
forProvider:
name: demo/loginuser
# cas: 2 #not working
@@ -109,9 +109,9 @@
metadata:
name: velero-ui
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "3"
spec:
forProvider:
name: demo/velero-ui
# cas: 2 #not working
@@ -134,9 +134,9 @@
metadata:
name: cnpg
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
- argocd.argoproj.io/sync-wave: "1"
+ argocd.argoproj.io/sync-wave: "3"
spec:
forProvider:
name: demo/cnpg
# cas: 2 #not working
Only in out/target/vault/values-uibklab.yaml/sx-vault/templates: truncate-audit-log.yaml
diff -U 4 -r out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/backupstoragelocation.yaml out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/backupstoragelocation.yaml
--- out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/backupstoragelocation.yaml 2024-11-22 16:45:10.744230904 +0000
+++ out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/backupstoragelocation.yaml 2024-11-22 16:44:39.840368676 +0000
@@ -8,9 +8,9 @@
labels:
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
spec:
provider: aws
accessMode: ReadWrite
default: true
diff -U 4 -r out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/clusterrolebinding.yaml out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/clusterrolebinding.yaml
--- out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/clusterrolebinding.yaml 2024-11-22 16:45:10.744230904 +0000
+++ out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/clusterrolebinding.yaml 2024-11-22 16:44:39.840368676 +0000
@@ -8,9 +8,9 @@
app.kubernetes.io/component: server
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
subjects:
- kind: ServiceAccount
namespace: default
name: velero
diff -U 4 -r out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/configmaps.yaml out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/configmaps.yaml
--- out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/configmaps.yaml 2024-11-22 16:45:10.744230904 +0000
+++ out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/configmaps.yaml 2024-11-22 16:44:39.840368676 +0000
@@ -8,9 +8,9 @@
labels:
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
velero.io/plugin-config: ""
velero.io/pod-volume-restore: RestoreItemAction
data:
image: velero/velero-restore-helper:v1.14.1
diff -U 4 -r out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/deployment.yaml out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/deployment.yaml
--- out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/deployment.yaml 2024-11-22 16:45:10.744230904 +0000
+++ out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/deployment.yaml 2024-11-22 16:44:39.840368676 +0000
@@ -8,9 +8,10 @@
labels:
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ app.kubernetes.io/version: 1.14.1
+ helm.sh/chart: velero-7.2.2
component: velero
spec:
replicas: 1
strategy:
@@ -25,9 +26,10 @@
name: velero
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ app.kubernetes.io/version: 1.14.1
+ helm.sh/chart: velero-7.2.2
annotations:
spec:
restartPolicy: Always
serviceAccountName: velero
diff -U 4 -r out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/node-agent-daemonset.yaml out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/node-agent-daemonset.yaml
--- out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/node-agent-daemonset.yaml 2024-11-22 16:45:10.744230904 +0000
+++ out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/node-agent-daemonset.yaml 2024-11-22 16:44:39.840368676 +0000
@@ -8,9 +8,9 @@
labels:
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
spec:
selector:
matchLabels:
name: node-agent
@@ -20,9 +20,9 @@
name: node-agent
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
annotations:
spec:
serviceAccountName: velero
securityContext:
diff -U 4 -r out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/role.yaml out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/role.yaml
--- out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/role.yaml 2024-11-22 16:45:10.744230904 +0000
+++ out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/role.yaml 2024-11-22 16:44:39.840368676 +0000
@@ -9,9 +9,9 @@
app.kubernetes.io/component: server
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
rules:
- apiGroups:
- "*"
resources:
diff -U 4 -r out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/rolebinding.yaml out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/rolebinding.yaml
--- out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/rolebinding.yaml 2024-11-22 16:45:10.744230904 +0000
+++ out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/rolebinding.yaml 2024-11-22 16:44:39.840368676 +0000
@@ -9,9 +9,9 @@
app.kubernetes.io/component: server
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
subjects:
- kind: ServiceAccount
namespace: default
name: velero
diff -U 4 -r out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/service.yaml out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/service.yaml
--- out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/service.yaml 2024-11-22 16:45:10.744230904 +0000
+++ out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/service.yaml 2024-11-22 16:44:39.840368676 +0000
@@ -8,9 +8,9 @@
labels:
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
spec:
type: ClusterIP
ports:
- name: http-monitoring
diff -U 4 -r out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/service.yaml out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/service.yaml
--- out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/service.yaml 2024-11-22 16:44:52.096300186 +0000
+++ out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/service.yaml 2024-11-22 16:44:20.524473905 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
spec:
type: ClusterIP
ports:
- name: service
diff -U 4 -r out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/serviceaccount-server.yaml out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/serviceaccount-server.yaml
--- out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/serviceaccount-server.yaml 2024-11-22 16:45:10.744230904 +0000
+++ out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/serviceaccount-server.yaml 2024-11-22 16:44:39.840368676 +0000
@@ -8,5 +8,5 @@
labels:
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
diff -U 4 -r out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/upgrade-crds/clusterrole-upgrade.yaml out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/upgrade-crds/clusterrole-upgrade.yaml
--- out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/upgrade-crds/clusterrole-upgrade.yaml 2024-11-22 16:45:10.744230904 +0000
+++ out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/upgrade-crds/clusterrole-upgrade.yaml 2024-11-22 16:44:39.840368676 +0000
@@ -12,9 +12,9 @@
app.kubernetes.io/component: upgrade-crds
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
rules:
- apiGroups:
- "apiextensions.k8s.io"
resources:
diff -U 4 -r out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/upgrade-crds/clusterrolebinding-upgrade.yaml out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/upgrade-crds/clusterrolebinding-upgrade.yaml
--- out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/upgrade-crds/clusterrolebinding-upgrade.yaml 2024-11-22 16:45:10.744230904 +0000
+++ out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/upgrade-crds/clusterrolebinding-upgrade.yaml 2024-11-22 16:44:39.840368676 +0000
@@ -8,9 +8,9 @@
app.kubernetes.io/component: upgrade-crds
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-weight": "-3"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
diff -U 4 -r out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/upgrade-crds/serviceaccount-upgrade.yaml out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/upgrade-crds/serviceaccount-upgrade.yaml
--- out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/upgrade-crds/serviceaccount-upgrade.yaml 2024-11-22 16:45:10.744230904 +0000
+++ out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/upgrade-crds/serviceaccount-upgrade.yaml 2024-11-22 16:44:39.840368676 +0000
@@ -12,5 +12,5 @@
labels:
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
diff -U 4 -r out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/upgrade-crds/upgrade-crds.yaml out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/upgrade-crds/upgrade-crds.yaml
--- out/target/velero/values-k3d.yaml/sx-velero/charts/velero/templates/upgrade-crds/upgrade-crds.yaml 2024-11-22 16:45:10.744230904 +0000
+++ out/pr/velero/values-k3d.yaml/sx-velero/charts/velero/templates/upgrade-crds/upgrade-crds.yaml 2024-11-22 16:44:39.840368676 +0000
@@ -12,9 +12,9 @@
labels:
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
spec:
backoffLimit: 3
template:
metadata:
Only in out/target/velero/values-k3d.yaml/sx-velero/templates: pushsecret_netapp.yaml
diff -U 4 -r out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/backupstoragelocation.yaml out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/backupstoragelocation.yaml
--- out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/backupstoragelocation.yaml 2024-11-22 16:45:10.800230638 +0000
+++ out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/backupstoragelocation.yaml 2024-11-22 16:44:39.892368439 +0000
@@ -8,9 +8,9 @@
labels:
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
spec:
provider: aws
accessMode: ReadWrite
objectStorage:
@@ -31,9 +31,9 @@
labels:
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
spec:
credential:
name: netapp-credentials
key: cloud
diff -U 4 -r out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/clusterrolebinding.yaml out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/clusterrolebinding.yaml
--- out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/clusterrolebinding.yaml 2024-11-22 16:45:10.800230638 +0000
+++ out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/clusterrolebinding.yaml 2024-11-22 16:44:39.892368439 +0000
@@ -8,9 +8,9 @@
app.kubernetes.io/component: server
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
subjects:
- kind: ServiceAccount
namespace: default
name: velero
diff -U 4 -r out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/configmaps.yaml out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/configmaps.yaml
--- out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/configmaps.yaml 2024-11-22 16:45:10.796230657 +0000
+++ out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/configmaps.yaml 2024-11-22 16:44:39.892368439 +0000
@@ -8,9 +8,9 @@
labels:
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
velero.io/plugin-config: ""
velero.io/pod-volume-restore: RestoreItemAction
data:
image: velero/velero-restore-helper:v1.14.1
diff -U 4 -r out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/deployment.yaml out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/deployment.yaml
--- out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/deployment.yaml 2024-11-22 16:45:10.800230638 +0000
+++ out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/deployment.yaml 2024-11-22 16:44:39.892368439 +0000
@@ -8,9 +8,10 @@
labels:
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ app.kubernetes.io/version: 1.14.1
+ helm.sh/chart: velero-7.2.2
component: velero
spec:
replicas: 1
strategy:
@@ -25,9 +26,10 @@
name: velero
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ app.kubernetes.io/version: 1.14.1
+ helm.sh/chart: velero-7.2.2
annotations:
spec:
restartPolicy: Always
serviceAccountName: velero
diff -U 4 -r out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/node-agent-daemonset.yaml out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/node-agent-daemonset.yaml
--- out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/node-agent-daemonset.yaml 2024-11-22 16:45:10.800230638 +0000
+++ out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/node-agent-daemonset.yaml 2024-11-22 16:44:39.892368439 +0000
@@ -8,9 +8,9 @@
labels:
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
spec:
selector:
matchLabels:
name: node-agent
@@ -20,9 +20,9 @@
name: node-agent
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
annotations:
spec:
serviceAccountName: velero
securityContext:
diff -U 4 -r out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/serviceaccount.yaml out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/serviceaccount.yaml
--- out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/serviceaccount.yaml 2024-11-22 16:44:52.096300186 +0000
+++ out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/serviceaccount.yaml 2024-11-22 16:44:20.520473922 +0000
@@ -4,11 +4,10 @@
kind: ServiceAccount
automountServiceAccountToken: false
metadata:
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
name: release-name-grafana
namespace: default
diff -U 4 -r out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/role.yaml out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/role.yaml
--- out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/role.yaml 2024-11-22 16:45:10.800230638 +0000
+++ out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/role.yaml 2024-11-22 16:44:39.892368439 +0000
@@ -9,9 +9,9 @@
app.kubernetes.io/component: server
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
rules:
- apiGroups:
- "*"
resources:
diff -U 4 -r out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/rolebinding.yaml out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/rolebinding.yaml
--- out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/rolebinding.yaml 2024-11-22 16:45:10.800230638 +0000
+++ out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/rolebinding.yaml 2024-11-22 16:44:39.892368439 +0000
@@ -9,9 +9,9 @@
app.kubernetes.io/component: server
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
subjects:
- kind: ServiceAccount
namespace: default
name: velero
diff -U 4 -r out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/service.yaml out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/service.yaml
--- out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/service.yaml 2024-11-22 16:45:10.800230638 +0000
+++ out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/service.yaml 2024-11-22 16:44:39.892368439 +0000
@@ -8,9 +8,9 @@
labels:
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
spec:
type: ClusterIP
ports:
- name: http-monitoring
diff -U 4 -r out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/serviceaccount-server.yaml out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/serviceaccount-server.yaml
--- out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/serviceaccount-server.yaml 2024-11-22 16:45:10.796230657 +0000
+++ out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/serviceaccount-server.yaml 2024-11-22 16:44:39.892368439 +0000
@@ -8,5 +8,5 @@
labels:
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
diff -U 4 -r out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/upgrade-crds/clusterrole-upgrade.yaml out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/upgrade-crds/clusterrole-upgrade.yaml
--- out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/upgrade-crds/clusterrole-upgrade.yaml 2024-11-22 16:45:10.800230638 +0000
+++ out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/upgrade-crds/clusterrole-upgrade.yaml 2024-11-22 16:44:39.892368439 +0000
@@ -12,9 +12,9 @@
app.kubernetes.io/component: upgrade-crds
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
rules:
- apiGroups:
- "apiextensions.k8s.io"
resources:
diff -U 4 -r out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/upgrade-crds/clusterrolebinding-upgrade.yaml out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/upgrade-crds/clusterrolebinding-upgrade.yaml
--- out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/upgrade-crds/clusterrolebinding-upgrade.yaml 2024-11-22 16:45:10.800230638 +0000
+++ out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/upgrade-crds/clusterrolebinding-upgrade.yaml 2024-11-22 16:44:39.892368439 +0000
@@ -8,9 +8,9 @@
app.kubernetes.io/component: upgrade-crds
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-weight": "-3"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
diff -U 4 -r out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/upgrade-crds/serviceaccount-upgrade.yaml out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/upgrade-crds/serviceaccount-upgrade.yaml
--- out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/upgrade-crds/serviceaccount-upgrade.yaml 2024-11-22 16:45:10.800230638 +0000
+++ out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/upgrade-crds/serviceaccount-upgrade.yaml 2024-11-22 16:44:39.892368439 +0000
@@ -12,5 +12,5 @@
labels:
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
diff -U 4 -r out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/upgrade-crds/upgrade-crds.yaml out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/upgrade-crds/upgrade-crds.yaml
--- out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/upgrade-crds/upgrade-crds.yaml 2024-11-22 16:45:10.800230638 +0000
+++ out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/upgrade-crds/upgrade-crds.yaml 2024-11-22 16:44:39.892368439 +0000
@@ -12,9 +12,9 @@
labels:
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
spec:
backoffLimit: 3
template:
metadata:
diff -U 4 -r out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/volumesnapshotlocation.yaml out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/volumesnapshotlocation.yaml
--- out/target/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/volumesnapshotlocation.yaml 2024-11-22 16:45:10.800230638 +0000
+++ out/pr/velero/values-uibklab.yaml/sx-velero/charts/velero/templates/volumesnapshotlocation.yaml 2024-11-22 16:44:39.892368439 +0000
@@ -8,9 +8,9 @@
labels:
app.kubernetes.io/name: velero
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: velero-7.2.1
+ helm.sh/chart: velero-7.2.2
spec:
provider: aws
config:
incremental: "true"
Only in out/pr/velero/values-uibklab.yaml/sx-velero/templates: external_secret_velero_na.yaml
Only in out/target/velero/values-uibklab.yaml/sx-velero/templates: pushsecret_netapp.yaml
diff -U 4 -r out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/statefulset.yaml out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/statefulset.yaml
--- out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/statefulset.yaml 2024-11-22 16:44:52.100300165 +0000
+++ out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/statefulset.yaml 2024-11-22 16:44:20.524473905 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
spec:
replicas: 1
selector:
matchLabels:
@@ -23,12 +22,12 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
annotations:
- checksum/config: f0828cce1b3cd439c60813a391c0722ad4bba78375b69adb0d701e9e42df2c77
+ checksum/config: 0c1984473d6ebbd9c76d6cf9cfcd5b8632ee3a07d46afe88afbcb7838298af78
checksum/dashboards-json-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
- checksum/sc-dashboard-provider-config: 8f58f7eecf6af0f6f9fa49900156d5d42bf2266f16c058ba0255172f303d2aa0
- checksum/secret: d68a3d8c8ee38b61dc7622b7fb7422eb52e3136317465394c7e00c00766e6f0a
+ checksum/sc-dashboard-provider-config: dddbbc6a5f70ef8a2a2cd005bbecdc2f875659501bceb0b23dc57d6b2146a62b
+ checksum/secret: e444cc9131efddc944733db16f8fa848d629c72c5fdf9ec0e14e53fbaeff812c
kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: release-name-grafana
@@ -140,9 +139,9 @@
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "docker.io/grafana/grafana:11.2.2-security-01"
+ image: "docker.io/grafana/grafana:11.3.0"
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
capabilities:
diff -U 4 -r out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/tests/test-configmap.yaml out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/tests/test-configmap.yaml
--- out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/tests/test-configmap.yaml 2024-11-22 16:44:52.100300165 +0000
+++ out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/tests/test-configmap.yaml 2024-11-22 16:44:20.524473905 +0000
@@ -8,13 +8,12 @@
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
data:
run.sh: |-
@test "Test Health" {
url="http://release-name-grafana/api/health"
diff -U 4 -r out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/tests/test-serviceaccount.yaml out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/tests/test-serviceaccount.yaml
--- out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/tests/test-serviceaccount.yaml 2024-11-22 16:44:52.100300165 +0000
+++ out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/tests/test-serviceaccount.yaml 2024-11-22 16:44:20.524473905 +0000
@@ -3,13 +3,12 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
name: release-name-grafana-test
namespace: default
annotations:
"helm.sh/hook": test
diff -U 4 -r out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/tests/test.yaml out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/tests/test.yaml
--- out/target/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/tests/test.yaml 2024-11-22 16:44:52.100300165 +0000
+++ out/pr/grafana/values-k3d.yaml/sx-grafana/charts/grafana/templates/tests/test.yaml 2024-11-22 16:44:20.524473905 +0000
@@ -4,13 +4,12 @@
kind: Pod
metadata:
name: release-name-grafana-test
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
namespace: default
diff -U 4 -r out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/clusterrole.yaml out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/clusterrole.yaml
--- out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/clusterrole.yaml 2024-11-22 16:44:51.968300837 +0000
+++ out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/clusterrole.yaml 2024-11-22 16:44:20.396474476 +0000
@@ -3,13 +3,12 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
name: release-name-grafana-clusterrole
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["configmaps", "secrets"]
diff -U 4 -r out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/clusterrolebinding.yaml out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/clusterrolebinding.yaml
--- out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/clusterrolebinding.yaml 2024-11-22 16:44:51.968300837 +0000
+++ out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/clusterrolebinding.yaml 2024-11-22 16:44:20.396474476 +0000
@@ -4,13 +4,12 @@
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: release-name-grafana-clusterrolebinding
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
subjects:
- kind: ServiceAccount
name: release-name-grafana
namespace: default
diff -U 4 -r out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/configmap-dashboard-provider.yaml out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/configmap-dashboard-provider.yaml
--- out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/configmap-dashboard-provider.yaml 2024-11-22 16:44:51.968300837 +0000
+++ out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/configmap-dashboard-provider.yaml 2024-11-22 16:44:20.396474476 +0000
@@ -3,13 +3,12 @@
apiVersion: v1
kind: ConfigMap
metadata:
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
name: release-name-grafana-config-dashboards
namespace: default
data:
provider.yaml: |-
diff -U 4 -r out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/configmap.yaml out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/configmap.yaml
--- out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/configmap.yaml 2024-11-22 16:44:51.968300837 +0000
+++ out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/configmap.yaml 2024-11-22 16:44:20.396474476 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
data:
grafana.ini: |
[analytics]
diff -U 4 -r out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/headless-service.yaml out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/headless-service.yaml
--- out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/headless-service.yaml 2024-11-22 16:44:51.968300837 +0000
+++ out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/headless-service.yaml 2024-11-22 16:44:20.396474476 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana-headless
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
spec:
clusterIP: None
selector:
app.kubernetes.io/name: grafana
diff -U 4 -r out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/ingress.yaml out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/ingress.yaml
--- out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/ingress.yaml 2024-11-22 16:44:51.968300837 +0000
+++ out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/ingress.yaml 2024-11-22 16:44:20.396474476 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-staging"
external-dns.alpha.kubernetes.io/ttl: "60"
spec:
diff -U 4 -r out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/role.yaml out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/role.yaml
--- out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/role.yaml 2024-11-22 16:44:51.968300837 +0000
+++ out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/role.yaml 2024-11-22 16:44:20.396474476 +0000
@@ -5,10 +5,9 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
rules: []
diff -U 4 -r out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/rolebinding.yaml out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/rolebinding.yaml
--- out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/rolebinding.yaml 2024-11-22 16:44:51.968300837 +0000
+++ out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/rolebinding.yaml 2024-11-22 16:44:20.396474476 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: release-name-grafana
diff -U 4 -r out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/secret.yaml out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/secret.yaml
--- out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/secret.yaml 2024-11-22 16:44:51.968300837 +0000
+++ out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/secret.yaml 2024-11-22 16:44:20.396474476 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
type: Opaque
data:
admin-user: "YWRtaW4="
diff -U 4 -r out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/service.yaml out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/service.yaml
--- out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/service.yaml 2024-11-22 16:44:51.968300837 +0000
+++ out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/service.yaml 2024-11-22 16:44:20.396474476 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
spec:
type: ClusterIP
ports:
- name: service
diff -U 4 -r out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/serviceaccount.yaml out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/serviceaccount.yaml
--- out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/serviceaccount.yaml 2024-11-22 16:44:51.968300837 +0000
+++ out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/serviceaccount.yaml 2024-11-22 16:44:20.396474476 +0000
@@ -4,11 +4,10 @@
kind: ServiceAccount
automountServiceAccountToken: false
metadata:
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
name: release-name-grafana
namespace: default
diff -U 4 -r out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/statefulset.yaml out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/statefulset.yaml
--- out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/statefulset.yaml 2024-11-22 16:44:51.968300837 +0000
+++ out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/statefulset.yaml 2024-11-22 16:44:20.396474476 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
spec:
replicas: 1
selector:
matchLabels:
@@ -23,12 +22,12 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
annotations:
- checksum/config: 87ac726f5b8dd1f4458389ec80825e6cd136548f29daf5de7e930aff71f8e3fc
+ checksum/config: 9098cdb27aed5139bba9160dcb8a1d24a8033814e40938e2dc01bc99ed9cc572
checksum/dashboards-json-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
- checksum/sc-dashboard-provider-config: 8f58f7eecf6af0f6f9fa49900156d5d42bf2266f16c058ba0255172f303d2aa0
- checksum/secret: d68a3d8c8ee38b61dc7622b7fb7422eb52e3136317465394c7e00c00766e6f0a
+ checksum/sc-dashboard-provider-config: dddbbc6a5f70ef8a2a2cd005bbecdc2f875659501bceb0b23dc57d6b2146a62b
+ checksum/secret: e444cc9131efddc944733db16f8fa848d629c72c5fdf9ec0e14e53fbaeff812c
kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: release-name-grafana
@@ -140,9 +139,9 @@
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "docker.io/grafana/grafana:11.2.2-security-01"
+ image: "docker.io/grafana/grafana:11.3.0"
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
capabilities:
diff -U 4 -r out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/tests/test-configmap.yaml out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/tests/test-configmap.yaml
--- out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/tests/test-configmap.yaml 2024-11-22 16:44:51.968300837 +0000
+++ out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/tests/test-configmap.yaml 2024-11-22 16:44:20.396474476 +0000
@@ -8,13 +8,12 @@
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
data:
run.sh: |-
@test "Test Health" {
url="http://release-name-grafana/api/health"
diff -U 4 -r out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/tests/test-serviceaccount.yaml out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/tests/test-serviceaccount.yaml
--- out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/tests/test-serviceaccount.yaml 2024-11-22 16:44:51.968300837 +0000
+++ out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/tests/test-serviceaccount.yaml 2024-11-22 16:44:20.396474476 +0000
@@ -3,13 +3,12 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
name: release-name-grafana-test
namespace: default
annotations:
"helm.sh/hook": test
diff -U 4 -r out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/tests/test.yaml out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/tests/test.yaml
--- out/target/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/tests/test.yaml 2024-11-22 16:44:51.968300837 +0000
+++ out/pr/grafana/values-metalstack.yaml/sx-grafana/charts/grafana/templates/tests/test.yaml 2024-11-22 16:44:20.396474476 +0000
@@ -4,13 +4,12 @@
kind: Pod
metadata:
name: release-name-grafana-test
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
namespace: default
diff -U 4 -r out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/clusterrole.yaml out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/clusterrole.yaml
--- out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/clusterrole.yaml 2024-11-22 16:44:52.232299494 +0000
+++ out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/clusterrole.yaml 2024-11-22 16:44:20.656473315 +0000
@@ -3,13 +3,12 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
name: release-name-grafana-clusterrole
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["configmaps", "secrets"]
diff -U 4 -r out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/clusterrolebinding.yaml out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/clusterrolebinding.yaml
--- out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/clusterrolebinding.yaml 2024-11-22 16:44:52.232299494 +0000
+++ out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/clusterrolebinding.yaml 2024-11-22 16:44:20.656473315 +0000
@@ -4,13 +4,12 @@
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: release-name-grafana-clusterrolebinding
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
subjects:
- kind: ServiceAccount
name: release-name-grafana
namespace: default
diff -U 4 -r out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/configmap-dashboard-provider.yaml out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/configmap-dashboard-provider.yaml
--- out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/configmap-dashboard-provider.yaml 2024-11-22 16:44:52.228299514 +0000
+++ out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/configmap-dashboard-provider.yaml 2024-11-22 16:44:20.652473333 +0000
@@ -3,13 +3,12 @@
apiVersion: v1
kind: ConfigMap
metadata:
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
name: release-name-grafana-config-dashboards
namespace: default
data:
provider.yaml: |-
diff -U 4 -r out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/configmap.yaml out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/configmap.yaml
--- out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/configmap.yaml 2024-11-22 16:44:52.228299514 +0000
+++ out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/configmap.yaml 2024-11-22 16:44:20.652473333 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
data:
grafana.ini: |
[analytics]
diff -U 4 -r out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/headless-service.yaml out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/headless-service.yaml
--- out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/headless-service.yaml 2024-11-22 16:44:52.232299494 +0000
+++ out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/headless-service.yaml 2024-11-22 16:44:20.656473315 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana-headless
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
spec:
clusterIP: None
selector:
app.kubernetes.io/name: grafana
diff -U 4 -r out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/ingress.yaml out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/ingress.yaml
--- out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/ingress.yaml 2024-11-22 16:44:52.232299494 +0000
+++ out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/ingress.yaml 2024-11-22 16:44:20.656473315 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
annotations:
cert.gardener.cloud/purpose: "managed"
dns.gardener.cloud/class: "garden"
dns.gardener.cloud/dnsnames: "grafana.lab.suxessit.k8s.cloud.uibk.ac.at"
diff -U 4 -r out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/role.yaml out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/role.yaml
--- out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/role.yaml 2024-11-22 16:44:52.232299494 +0000
+++ out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/role.yaml 2024-11-22 16:44:20.656473315 +0000
@@ -5,10 +5,9 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
rules: []
diff -U 4 -r out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/rolebinding.yaml out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/rolebinding.yaml
--- out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/rolebinding.yaml 2024-11-22 16:44:52.232299494 +0000
+++ out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/rolebinding.yaml 2024-11-22 16:44:20.656473315 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: release-name-grafana
diff -U 4 -r out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/secret.yaml out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/secret.yaml
--- out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/secret.yaml 2024-11-22 16:44:52.228299514 +0000
+++ out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/secret.yaml 2024-11-22 16:44:20.652473333 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
type: Opaque
data:
admin-user: "YWRtaW4="
diff -U 4 -r out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/service.yaml out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/service.yaml
--- out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/service.yaml 2024-11-22 16:44:52.232299494 +0000
+++ out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/service.yaml 2024-11-22 16:44:20.656473315 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
spec:
type: ClusterIP
ports:
- name: service
diff -U 4 -r out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/serviceaccount.yaml out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/serviceaccount.yaml
--- out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/serviceaccount.yaml 2024-11-22 16:44:52.228299514 +0000
+++ out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/serviceaccount.yaml 2024-11-22 16:44:20.652473333 +0000
@@ -4,11 +4,10 @@
kind: ServiceAccount
automountServiceAccountToken: false
metadata:
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
name: release-name-grafana
namespace: default
diff -U 4 -r out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/statefulset.yaml out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/statefulset.yaml
--- out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/statefulset.yaml 2024-11-22 16:44:52.232299494 +0000
+++ out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/statefulset.yaml 2024-11-22 16:44:20.656473315 +0000
@@ -5,13 +5,12 @@
metadata:
name: release-name-grafana
namespace: default
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
spec:
replicas: 1
selector:
matchLabels:
@@ -23,12 +22,12 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
annotations:
- checksum/config: 9c8301f35ae6f370312fa0dc16997f9049585b657287ab024e8973eede416730
+ checksum/config: c701fa4370d6ac8d04f39a2f97e7ca223fa6cd76ec6cbf226a3f726955e3253c
checksum/dashboards-json-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
- checksum/sc-dashboard-provider-config: 8f58f7eecf6af0f6f9fa49900156d5d42bf2266f16c058ba0255172f303d2aa0
- checksum/secret: d68a3d8c8ee38b61dc7622b7fb7422eb52e3136317465394c7e00c00766e6f0a
+ checksum/sc-dashboard-provider-config: dddbbc6a5f70ef8a2a2cd005bbecdc2f875659501bceb0b23dc57d6b2146a62b
+ checksum/secret: e444cc9131efddc944733db16f8fa848d629c72c5fdf9ec0e14e53fbaeff812c
kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: release-name-grafana
@@ -114,9 +113,9 @@
value: "/etc/grafana/provisioning/datasources"
- name: RESOURCE
value: "both"
- name: NAMESPACE
- value: "grafana,mimir,loki,kubecost"
+ value: "grafana,mimir,loki,kubecost,gardener-grafana"
- name: REQ_USERNAME
valueFrom:
secretKeyRef:
name: release-name-grafana
@@ -140,9 +139,9 @@
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "docker.io/grafana/grafana:11.2.2-security-01"
+ image: "docker.io/grafana/grafana:11.3.0"
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
capabilities:
diff -U 4 -r out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/tests/test-configmap.yaml out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/tests/test-configmap.yaml
--- out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/tests/test-configmap.yaml 2024-11-22 16:44:52.232299494 +0000
+++ out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/tests/test-configmap.yaml 2024-11-22 16:44:20.656473315 +0000
@@ -8,13 +8,12 @@
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
data:
run.sh: |-
@test "Test Health" {
url="http://release-name-grafana/api/health"
diff -U 4 -r out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/tests/test-serviceaccount.yaml out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/tests/test-serviceaccount.yaml
--- out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/tests/test-serviceaccount.yaml 2024-11-22 16:44:52.232299494 +0000
+++ out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/tests/test-serviceaccount.yaml 2024-11-22 16:44:20.656473315 +0000
@@ -3,13 +3,12 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
name: release-name-grafana-test
namespace: default
annotations:
"helm.sh/hook": test
diff -U 4 -r out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/tests/test.yaml out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/tests/test.yaml
--- out/target/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/tests/test.yaml 2024-11-22 16:44:52.232299494 +0000
+++ out/pr/grafana/values-uibklab.yaml/sx-grafana/charts/grafana/templates/tests/test.yaml 2024-11-22 16:44:20.656473315 +0000
@@ -4,13 +4,12 @@
kind: Pod
metadata:
name: release-name-grafana-test
labels:
- helm.sh/chart: grafana-8.5.8
+ helm.sh/chart: grafana-8.6.0
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: release-name
- app.kubernetes.io/version: "11.2.2-security-01"
- app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/version: "11.3.0"
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
namespace: default
diff -U 4 -r out/target/k8s-monitoring/values-k3d.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/alloy-config.yaml out/pr/k8s-monitoring/values-k3d.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/alloy-config.yaml
--- out/target/k8s-monitoring/values-k3d.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/alloy-config.yaml 2024-11-22 16:44:55.536282686 +0000
+++ out/pr/k8s-monitoring/values-k3d.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/alloy-config.yaml 2024-11-22 16:44:24.080458026 +0000
@@ -80,8 +80,16 @@
}
}
output {
+ metrics = [otelcol.processor.attributes.default.input]
+ logs = [otelcol.processor.attributes.default.input]
+ }
+ }
+
+ otelcol.processor.attributes "default" {
+
+ output {
metrics = [otelcol.processor.transform.default.input]
logs = [otelcol.processor.transform.default.input]
}
}
@@ -404,8 +412,17 @@
scrape_interval = "60s"
clustering {
enabled = true
}
+ forward_to = [prometheus.relabel.kubernetes_monitoring_telemetry.receiver]
+ }
+
+ prometheus.relabel "kubernetes_monitoring_telemetry" {
+ rule {
+ source_labels = ["__name__"]
+ regex = "grafana_kubernetes_monitoring_build_info"
+ action = "keep"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Kubelet
@@ -933,5 +950,5 @@
}
k8s-monitoring-build-info-metric.prom: |
# HELP grafana_kubernetes_monitoring_build_info A metric to report the version of the Kubernetes Monitoring Helm chart as well as a summary of enabled features
# TYPE grafana_kubernetes_monitoring_build_info gauge
- grafana_kubernetes_monitoring_build_info{version="1.6.1", namespace="default", metrics="enabled,alloy,autoDiscover,kube-state-metrics,node-exporter,kubelet,kubeletResource,cadvisor,apiserver,cost,extraConfig", logs="enabled,events,pod_logs", traces="disabled", deployments="kube-state-metrics,prometheus-node-exporter,prometheus-operator-crds"} 1
+ grafana_kubernetes_monitoring_build_info{version="1.6.4", namespace="default", metrics="enabled,alloy,autoDiscover,kube-state-metrics,node-exporter,kubelet,kubeletResource,cadvisor,apiserver,cost,extraConfig", logs="enabled,events,pod_logs", traces="disabled", deployments="kube-state-metrics,prometheus-node-exporter,prometheus-operator-crds"} 1
diff -U 4 -r out/target/k8s-monitoring/values-k3d.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/hooks/validate-configuration.yaml out/pr/k8s-monitoring/values-k3d.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/hooks/validate-configuration.yaml
--- out/target/k8s-monitoring/values-k3d.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/hooks/validate-configuration.yaml 2024-11-22 16:44:55.544282646 +0000
+++ out/pr/k8s-monitoring/values-k3d.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/hooks/validate-configuration.yaml 2024-11-22 16:44:24.088457990 +0000
@@ -7,10 +7,10 @@
namespace: default
labels:
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "release-name"
- app.kubernetes.io/version: 2.8.4
- helm.sh/chart: "k8s-monitoring-1.6.1"
+ app.kubernetes.io/version: 2.8.5
+ helm.sh/chart: "k8s-monitoring-1.6.4"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@@ -89,8 +89,16 @@
}
}
output {
+ metrics = [otelcol.processor.attributes.default.input]
+ logs = [otelcol.processor.attributes.default.input]
+ }
+ }
+
+ otelcol.processor.attributes "default" {
+
+ output {
metrics = [otelcol.processor.transform.default.input]
logs = [otelcol.processor.transform.default.input]
}
}
@@ -413,8 +421,17 @@
scrape_interval = "60s"
clustering {
enabled = true
}
+ forward_to = [prometheus.relabel.kubernetes_monitoring_telemetry.receiver]
+ }
+
+ prometheus.relabel "kubernetes_monitoring_telemetry" {
+ rule {
+ source_labels = ["__name__"]
+ regex = "grafana_kubernetes_monitoring_build_info"
+ action = "keep"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Kubelet
@@ -1154,10 +1171,10 @@
namespace: default
labels:
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "release-name"
- app.kubernetes.io/version: 2.8.4
- helm.sh/chart: "k8s-monitoring-1.6.1"
+ app.kubernetes.io/version: 2.8.5
+ helm.sh/chart: "k8s-monitoring-1.6.4"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
diff -U 4 -r out/target/k8s-monitoring/values-k3d.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/tests/test.yaml out/pr/k8s-monitoring/values-k3d.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/tests/test.yaml
--- out/target/k8s-monitoring/values-k3d.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/tests/test.yaml 2024-11-22 16:44:55.544282646 +0000
+++ out/pr/k8s-monitoring/values-k3d.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/tests/test.yaml 2024-11-22 16:44:24.088457990 +0000
@@ -7,10 +7,10 @@
namespace: default
labels:
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "release-name"
- app.kubernetes.io/version: 2.8.4
- helm.sh/chart: "k8s-monitoring-1.6.1"
+ app.kubernetes.io/version: 2.8.5
+ helm.sh/chart: "k8s-monitoring-1.6.4"
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-1"
@@ -69,10 +69,10 @@
namespace: default
labels:
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "release-name"
- app.kubernetes.io/version: 2.8.4
- helm.sh/chart: "k8s-monitoring-1.6.1"
+ app.kubernetes.io/version: 2.8.5
+ helm.sh/chart: "k8s-monitoring-1.6.4"
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation
"helm.sh/hook-weight": "0"
@@ -81,9 +81,9 @@
nodeSelector:
kubernetes.io/os: linux
containers:
- name: config-analysis
- image: ghcr.io/grafana/k8s-monitoring-test:1.6.1
+ image: ghcr.io/grafana/k8s-monitoring-test:1.6.4
command: [/etc/bin/config-analysis.sh]
env:
- name: ALLOY_HOST
value: release-name-alloy.default.svc:12345
@@ -96,10 +96,10 @@
namespace: default
labels:
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "release-name"
- app.kubernetes.io/version: 2.8.4
- helm.sh/chart: "k8s-monitoring-1.6.1"
+ app.kubernetes.io/version: 2.8.5
+ helm.sh/chart: "k8s-monitoring-1.6.4"
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation
"helm.sh/hook-weight": "0"
@@ -113,16 +113,16 @@
namespace: default
labels:
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "release-name"
- helm.sh/chart: "k8s-monitoring-1.6.1"
+ helm.sh/chart: "k8s-monitoring-1.6.4"
spec:
restartPolicy: Never
nodeSelector:
kubernetes.io/os: linux
containers:
- name: query-test
- image: ghcr.io/grafana/k8s-monitoring-test:1.6.1
+ image: ghcr.io/grafana/k8s-monitoring-test:1.6.4
command: ["bash", "-c", "/etc/bin/query-test.sh /etc/test/testQueries.json"]
volumeMounts:
- name: test-files
mountPath: /etc/test
diff -U 4 -r out/target/k8s-monitoring/values-metalstack.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/alloy-config.yaml out/pr/k8s-monitoring/values-metalstack.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/alloy-config.yaml
--- out/target/k8s-monitoring/values-metalstack.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/alloy-config.yaml 2024-11-22 16:44:55.052285149 +0000
+++ out/pr/k8s-monitoring/values-metalstack.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/alloy-config.yaml 2024-11-22 16:44:23.592460205 +0000
@@ -80,8 +80,16 @@
}
}
output {
+ metrics = [otelcol.processor.attributes.default.input]
+ logs = [otelcol.processor.attributes.default.input]
+ }
+ }
+
+ otelcol.processor.attributes "default" {
+
+ output {
metrics = [otelcol.processor.transform.default.input]
logs = [otelcol.processor.transform.default.input]
}
}
@@ -404,8 +412,17 @@
scrape_interval = "60s"
clustering {
enabled = true
}
+ forward_to = [prometheus.relabel.kubernetes_monitoring_telemetry.receiver]
+ }
+
+ prometheus.relabel "kubernetes_monitoring_telemetry" {
+ rule {
+ source_labels = ["__name__"]
+ regex = "grafana_kubernetes_monitoring_build_info"
+ action = "keep"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Kubelet
@@ -957,5 +974,5 @@
}
k8s-monitoring-build-info-metric.prom: |
# HELP grafana_kubernetes_monitoring_build_info A metric to report the version of the Kubernetes Monitoring Helm chart as well as a summary of enabled features
# TYPE grafana_kubernetes_monitoring_build_info gauge
- grafana_kubernetes_monitoring_build_info{version="1.6.1", namespace="default", metrics="enabled,alloy,autoDiscover,kube-state-metrics,node-exporter,kubelet,kubeletResource,cadvisor,apiserver,cost,extraConfig", logs="enabled,events,pod_logs", traces="disabled", deployments="kube-state-metrics,prometheus-node-exporter,prometheus-operator-crds"} 1
+ grafana_kubernetes_monitoring_build_info{version="1.6.4", namespace="default", metrics="enabled,alloy,autoDiscover,kube-state-metrics,node-exporter,kubelet,kubeletResource,cadvisor,apiserver,cost,extraConfig", logs="enabled,events,pod_logs", traces="disabled", deployments="kube-state-metrics,prometheus-node-exporter,prometheus-operator-crds"} 1
diff -U 4 -r out/target/k8s-monitoring/values-metalstack.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/hooks/validate-configuration.yaml out/pr/k8s-monitoring/values-metalstack.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/hooks/validate-configuration.yaml
--- out/target/k8s-monitoring/values-metalstack.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/hooks/validate-configuration.yaml 2024-11-22 16:44:55.060285108 +0000
+++ out/pr/k8s-monitoring/values-metalstack.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/hooks/validate-configuration.yaml 2024-11-22 16:44:23.600460169 +0000
@@ -7,10 +7,10 @@
namespace: default
labels:
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "release-name"
- app.kubernetes.io/version: 2.8.4
- helm.sh/chart: "k8s-monitoring-1.6.1"
+ app.kubernetes.io/version: 2.8.5
+ helm.sh/chart: "k8s-monitoring-1.6.4"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@@ -89,8 +89,16 @@
}
}
output {
+ metrics = [otelcol.processor.attributes.default.input]
+ logs = [otelcol.processor.attributes.default.input]
+ }
+ }
+
+ otelcol.processor.attributes "default" {
+
+ output {
metrics = [otelcol.processor.transform.default.input]
logs = [otelcol.processor.transform.default.input]
}
}
@@ -413,8 +421,17 @@
scrape_interval = "60s"
clustering {
enabled = true
}
+ forward_to = [prometheus.relabel.kubernetes_monitoring_telemetry.receiver]
+ }
+
+ prometheus.relabel "kubernetes_monitoring_telemetry" {
+ rule {
+ source_labels = ["__name__"]
+ regex = "grafana_kubernetes_monitoring_build_info"
+ action = "keep"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Kubelet
@@ -1178,10 +1195,10 @@
namespace: default
labels:
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "release-name"
- app.kubernetes.io/version: 2.8.4
- helm.sh/chart: "k8s-monitoring-1.6.1"
+ app.kubernetes.io/version: 2.8.5
+ helm.sh/chart: "k8s-monitoring-1.6.4"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
diff -U 4 -r out/target/k8s-monitoring/values-metalstack.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/tests/test.yaml out/pr/k8s-monitoring/values-metalstack.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/tests/test.yaml
--- out/target/k8s-monitoring/values-metalstack.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/tests/test.yaml 2024-11-22 16:44:55.060285108 +0000
+++ out/pr/k8s-monitoring/values-metalstack.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/tests/test.yaml 2024-11-22 16:44:23.600460169 +0000
@@ -7,10 +7,10 @@
namespace: default
labels:
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "release-name"
- app.kubernetes.io/version: 2.8.4
- helm.sh/chart: "k8s-monitoring-1.6.1"
+ app.kubernetes.io/version: 2.8.5
+ helm.sh/chart: "k8s-monitoring-1.6.4"
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-1"
@@ -69,10 +69,10 @@
namespace: default
labels:
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "release-name"
- app.kubernetes.io/version: 2.8.4
- helm.sh/chart: "k8s-monitoring-1.6.1"
+ app.kubernetes.io/version: 2.8.5
+ helm.sh/chart: "k8s-monitoring-1.6.4"
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation
"helm.sh/hook-weight": "0"
@@ -81,9 +81,9 @@
nodeSelector:
kubernetes.io/os: linux
containers:
- name: config-analysis
- image: ghcr.io/grafana/k8s-monitoring-test:1.6.1
+ image: ghcr.io/grafana/k8s-monitoring-test:1.6.4
command: [/etc/bin/config-analysis.sh]
env:
- name: ALLOY_HOST
value: release-name-alloy.default.svc:12345
@@ -96,10 +96,10 @@
namespace: default
labels:
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "release-name"
- app.kubernetes.io/version: 2.8.4
- helm.sh/chart: "k8s-monitoring-1.6.1"
+ app.kubernetes.io/version: 2.8.5
+ helm.sh/chart: "k8s-monitoring-1.6.4"
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation
"helm.sh/hook-weight": "0"
@@ -113,16 +113,16 @@
namespace: default
labels:
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "release-name"
- helm.sh/chart: "k8s-monitoring-1.6.1"
+ helm.sh/chart: "k8s-monitoring-1.6.4"
spec:
restartPolicy: Never
nodeSelector:
kubernetes.io/os: linux
containers:
- name: query-test
- image: ghcr.io/grafana/k8s-monitoring-test:1.6.1
+ image: ghcr.io/grafana/k8s-monitoring-test:1.6.4
command: ["bash", "-c", "/etc/bin/query-test.sh /etc/test/testQueries.json"]
volumeMounts:
- name: test-files
mountPath: /etc/test
diff -U 4 -r out/target/k8s-monitoring/values-uibklab.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/alloy-config.yaml out/pr/k8s-monitoring/values-uibklab.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/alloy-config.yaml
--- out/target/k8s-monitoring/values-uibklab.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/alloy-config.yaml 2024-11-22 16:44:56.020280224 +0000
+++ out/pr/k8s-monitoring/values-uibklab.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/alloy-config.yaml 2024-11-22 16:44:24.564455864 +0000
@@ -80,8 +80,16 @@
}
}
output {
+ metrics = [otelcol.processor.attributes.default.input]
+ logs = [otelcol.processor.attributes.default.input]
+ }
+ }
+
+ otelcol.processor.attributes "default" {
+
+ output {
metrics = [otelcol.processor.transform.default.input]
logs = [otelcol.processor.transform.default.input]
}
}
@@ -325,8 +333,13 @@
}
prometheus.relabel "annotation_autodiscovery" {
max_cache_size = 100000
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Grafana Alloy
@@ -372,8 +385,13 @@
source_labels = ["__name__"]
regex = "up|alloy_build_info"
action = "keep"
}
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Kubernetes Monitoring Telemetry
@@ -404,8 +422,17 @@
scrape_interval = "60s"
clustering {
enabled = true
}
+ forward_to = [prometheus.relabel.kubernetes_monitoring_telemetry.receiver]
+ }
+
+ prometheus.relabel "kubernetes_monitoring_telemetry" {
+ rule {
+ source_labels = ["__name__"]
+ regex = "grafana_kubernetes_monitoring_build_info"
+ action = "keep"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Kubelet
@@ -434,8 +461,13 @@
source_labels = ["__name__"]
regex = "up|go_goroutines|kubelet_certificate_manager_client_expiration_renew_errors|kubelet_certificate_manager_client_ttl_seconds|kubelet_certificate_manager_server_ttl_seconds|kubelet_cgroup_manager_duration_seconds_bucket|kubelet_cgroup_manager_duration_seconds_count|kubelet_node_config_error|kubelet_node_name|kubelet_pleg_relist_duration_seconds_bucket|kubelet_pleg_relist_duration_seconds_count|kubelet_pleg_relist_interval_seconds_bucket|kubelet_pod_start_duration_seconds_bucket|kubelet_pod_start_duration_seconds_count|kubelet_pod_worker_duration_seconds_bucket|kubelet_pod_worker_duration_seconds_count|kubelet_running_container_count|kubelet_running_containers|kubelet_running_pod_count|kubelet_running_pods|kubelet_runtime_operations_errors_total|kubelet_runtime_operations_total|kubelet_server_expiration_renew_errors|kubelet_volume_stats_available_bytes|kubelet_volume_stats_capacity_bytes|kubelet_volume_stats_inodes|kubelet_volume_stats_inodes_free|kubelet_volume_stats_inodes_used|kubelet_volume_stats_used_bytes|kubernetes_build_info|namespace_workload_pod|process_cpu_seconds_total|process_resident_memory_bytes|rest_client_requests_total|storage_operation_duration_seconds_count|storage_operation_errors_total|volume_manager_total_volumes|kubelet_volume_stats_used_bytes"
action = "keep"
}
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Kubelet Resource
@@ -468,8 +500,13 @@
source_labels = ["__name__"]
regex = "up|node_cpu_usage_seconds_total|node_memory_working_set_bytes"
action = "keep"
}
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// cAdvisor
@@ -570,8 +607,13 @@
regex = "container_network_.*"
target_label = "__keepme"
replacement = ""
}
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// API Server
@@ -615,8 +657,13 @@
source_labels = ["__name__"]
regex = "up|apiserver_requested_deprecated_apis|apiserver_request_total|apiserver_request_duration_seconds_sum|apiserver_request_duration_seconds_count|workqueue_depth|process_cpu_seconds_total|process_resident_memory_bytes|apiserver_requested_deprecated_apis"
action = "keep"
}
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Kube State Metrics
@@ -655,8 +702,13 @@
source_labels = ["__name__"]
regex = "up|kube_daemonset.*|kube_deployment_metadata_generation|kube_deployment_spec_replicas|kube_deployment_status_condition|kube_deployment_status_observed_generation|kube_deployment_status_replicas_available|kube_deployment_status_replicas_updated|kube_horizontalpodautoscaler_spec_max_replicas|kube_horizontalpodautoscaler_spec_min_replicas|kube_horizontalpodautoscaler_status_current_replicas|kube_horizontalpodautoscaler_status_desired_replicas|kube_job.*|kube_namespace_status_phase|kube_node.*|kube_persistentvolume_status_phase|kube_persistentvolumeclaim_access_mode|kube_persistentvolumeclaim_labels|kube_persistentvolumeclaim_resource_requests_storage_bytes|kube_pod_container_info|kube_pod_container_resource_limits|kube_pod_container_resource_requests|kube_pod_container_status_last_terminated_reason|kube_pod_container_status_restarts_total|kube_pod_container_status_waiting_reason|kube_pod_info|kube_pod_owner|kube_pod_start_time|kube_pod_status_phase|kube_pod_status_reason|kube_replicaset.*|kube_resourcequota|kube_statefulset.*|kube_namespace_created|kube_namespace_labels|kube_pod_container_status_running|kube_pod_container_status_ready|kube_pod_container_status_waiting|kube_pod_container_status_terminated|kube_service_info|kube_endpoint_info|kube_ingress_info|kube_deployment_labels|kube_statefulset_labels|kube_daemonset_labels|kube_persistentvolumeclaim_info|kube_hpa_labels|kube_configmap_info|kube_secret_info|kube_networkpolicy_labels|kube_node_info|kube_pod_status_qos_class|kube_pod_container_status_last_terminated_exitcode"
action = "keep"
}
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Node Exporter
@@ -702,8 +754,13 @@
separator = "@"
regex = "node_filesystem.*@(tempfs)"
action = "drop"
}
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// OpenCost
@@ -738,8 +795,13 @@
source_labels = ["__name__"]
regex = "up|container_cpu_allocation|container_gpu_allocation|container_memory_allocation_bytes|deployment_match_labels|kubecost_cluster_info|kubecost_cluster_management_cost|kubecost_cluster_memory_working_set_bytes|kubecost_http_requests_total|kubecost_http_response_size_bytes|kubecost_http_response_time_seconds|kubecost_load_balancer_cost|kubecost_network_internet_egress_cost|kubecost_network_region_egress_cost|kubecost_network_zone_egress_cost|kubecost_node_is_spot|node_cpu_hourly_cost|node_gpu_count|node_gpu_hourly_cost|node_ram_hourly_cost|node_total_hourly_cost|opencost_build_info|pod_pvc_allocation|pv_hourly_cost|service_selector_labels|statefulSet_match_labels"
action = "keep"
}
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Prometheus Operator PodMonitor objects
@@ -754,8 +816,13 @@
}
prometheus.relabel "podmonitors" {
max_cache_size = 100000
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Prometheus Operator Probe objects
@@ -770,8 +837,13 @@
}
prometheus.relabel "probes" {
max_cache_size = 100000
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Prometheus Operator ServiceMonitor objects
@@ -786,8 +858,13 @@
}
prometheus.relabel "servicemonitors" {
max_cache_size = 100000
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Metrics Service
@@ -803,8 +880,13 @@
regex = ""
replacement = "suxessit-uibklab"
target_label = "cluster"
}
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.remote_write.metrics_service.receiver]
}
prometheus.remote_write "metrics_service" {
@@ -930,32 +1012,8 @@
rule_selector {
match_labels = {}
}
}
-
- discovery.relabel "coredns" {
- targets = discovery.kubernetes.pods.targets
- rule {
- source_labels = ["__meta_kubernetes_pod_label_k8s_app"]
- regex = "kube-dns"
- action = "keep"
- }
- rule {
- source_labels = ["__meta_kubernetes_pod_container_port_number"]
- regex = "9153"
- action = "keep"
- }
- rule {
- source_labels = ["__meta_kubernetes_pod_name"]
- target_label = "instance"
- }
- }
- prometheus.scrape "coredns" {
- job_name = "integrations/coredns"
- targets = discovery.relabel.coredns.output
- honor_labels = true
- forward_to = [prometheus.relabel.metrics_service.receiver]
- }
k8s-monitoring-build-info-metric.prom: |
# HELP grafana_kubernetes_monitoring_build_info A metric to report the version of the Kubernetes Monitoring Helm chart as well as a summary of enabled features
# TYPE grafana_kubernetes_monitoring_build_info gauge
- grafana_kubernetes_monitoring_build_info{version="1.6.1", namespace="default", metrics="enabled,alloy,autoDiscover,kube-state-metrics,node-exporter,kubelet,kubeletResource,cadvisor,apiserver,cost,extraConfig", logs="enabled,events,pod_logs", traces="disabled", deployments="kube-state-metrics,prometheus-node-exporter,prometheus-operator-crds"} 1
+ grafana_kubernetes_monitoring_build_info{version="1.6.4", namespace="default", metrics="enabled,alloy,autoDiscover,kube-state-metrics,node-exporter,kubelet,kubeletResource,cadvisor,apiserver,cost,extraConfig", logs="enabled,events,pod_logs", traces="disabled", deployments="kube-state-metrics,prometheus-node-exporter,prometheus-operator-crds"} 1 |
Changes Rendered Chartdiff -U 4 -r out/target/k8s-monitoring/values-uibklab.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/hooks/validate-configuration.yaml out/pr/k8s-monitoring/values-uibklab.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/hooks/validate-configuration.yaml
--- out/target/k8s-monitoring/values-uibklab.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/hooks/validate-configuration.yaml 2024-11-22 16:44:56.028280184 +0000
+++ out/pr/k8s-monitoring/values-uibklab.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/hooks/validate-configuration.yaml 2024-11-22 16:44:24.572455829 +0000
@@ -7,10 +7,10 @@
namespace: default
labels:
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "release-name"
- app.kubernetes.io/version: 2.8.4
- helm.sh/chart: "k8s-monitoring-1.6.1"
+ app.kubernetes.io/version: 2.8.5
+ helm.sh/chart: "k8s-monitoring-1.6.4"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@@ -89,8 +89,16 @@
}
}
output {
+ metrics = [otelcol.processor.attributes.default.input]
+ logs = [otelcol.processor.attributes.default.input]
+ }
+ }
+
+ otelcol.processor.attributes "default" {
+
+ output {
metrics = [otelcol.processor.transform.default.input]
logs = [otelcol.processor.transform.default.input]
}
}
@@ -334,8 +342,13 @@
}
prometheus.relabel "annotation_autodiscovery" {
max_cache_size = 100000
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Grafana Alloy
@@ -381,8 +394,13 @@
source_labels = ["__name__"]
regex = "up|alloy_build_info"
action = "keep"
}
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Kubernetes Monitoring Telemetry
@@ -413,8 +431,17 @@
scrape_interval = "60s"
clustering {
enabled = true
}
+ forward_to = [prometheus.relabel.kubernetes_monitoring_telemetry.receiver]
+ }
+
+ prometheus.relabel "kubernetes_monitoring_telemetry" {
+ rule {
+ source_labels = ["__name__"]
+ regex = "grafana_kubernetes_monitoring_build_info"
+ action = "keep"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Kubelet
@@ -443,8 +470,13 @@
source_labels = ["__name__"]
regex = "up|go_goroutines|kubelet_certificate_manager_client_expiration_renew_errors|kubelet_certificate_manager_client_ttl_seconds|kubelet_certificate_manager_server_ttl_seconds|kubelet_cgroup_manager_duration_seconds_bucket|kubelet_cgroup_manager_duration_seconds_count|kubelet_node_config_error|kubelet_node_name|kubelet_pleg_relist_duration_seconds_bucket|kubelet_pleg_relist_duration_seconds_count|kubelet_pleg_relist_interval_seconds_bucket|kubelet_pod_start_duration_seconds_bucket|kubelet_pod_start_duration_seconds_count|kubelet_pod_worker_duration_seconds_bucket|kubelet_pod_worker_duration_seconds_count|kubelet_running_container_count|kubelet_running_containers|kubelet_running_pod_count|kubelet_running_pods|kubelet_runtime_operations_errors_total|kubelet_runtime_operations_total|kubelet_server_expiration_renew_errors|kubelet_volume_stats_available_bytes|kubelet_volume_stats_capacity_bytes|kubelet_volume_stats_inodes|kubelet_volume_stats_inodes_free|kubelet_volume_stats_inodes_used|kubelet_volume_stats_used_bytes|kubernetes_build_info|namespace_workload_pod|process_cpu_seconds_total|process_resident_memory_bytes|rest_client_requests_total|storage_operation_duration_seconds_count|storage_operation_errors_total|volume_manager_total_volumes|kubelet_volume_stats_used_bytes"
action = "keep"
}
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Kubelet Resource
@@ -477,8 +509,13 @@
source_labels = ["__name__"]
regex = "up|node_cpu_usage_seconds_total|node_memory_working_set_bytes"
action = "keep"
}
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// cAdvisor
@@ -579,8 +616,13 @@
regex = "container_network_.*"
target_label = "__keepme"
replacement = ""
}
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// API Server
@@ -624,8 +666,13 @@
source_labels = ["__name__"]
regex = "up|apiserver_requested_deprecated_apis|apiserver_request_total|apiserver_request_duration_seconds_sum|apiserver_request_duration_seconds_count|workqueue_depth|process_cpu_seconds_total|process_resident_memory_bytes|apiserver_requested_deprecated_apis"
action = "keep"
}
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Kube State Metrics
@@ -664,8 +711,13 @@
source_labels = ["__name__"]
regex = "up|kube_daemonset.*|kube_deployment_metadata_generation|kube_deployment_spec_replicas|kube_deployment_status_condition|kube_deployment_status_observed_generation|kube_deployment_status_replicas_available|kube_deployment_status_replicas_updated|kube_horizontalpodautoscaler_spec_max_replicas|kube_horizontalpodautoscaler_spec_min_replicas|kube_horizontalpodautoscaler_status_current_replicas|kube_horizontalpodautoscaler_status_desired_replicas|kube_job.*|kube_namespace_status_phase|kube_node.*|kube_persistentvolume_status_phase|kube_persistentvolumeclaim_access_mode|kube_persistentvolumeclaim_labels|kube_persistentvolumeclaim_resource_requests_storage_bytes|kube_pod_container_info|kube_pod_container_resource_limits|kube_pod_container_resource_requests|kube_pod_container_status_last_terminated_reason|kube_pod_container_status_restarts_total|kube_pod_container_status_waiting_reason|kube_pod_info|kube_pod_owner|kube_pod_start_time|kube_pod_status_phase|kube_pod_status_reason|kube_replicaset.*|kube_resourcequota|kube_statefulset.*|kube_namespace_created|kube_namespace_labels|kube_pod_container_status_running|kube_pod_container_status_ready|kube_pod_container_status_waiting|kube_pod_container_status_terminated|kube_service_info|kube_endpoint_info|kube_ingress_info|kube_deployment_labels|kube_statefulset_labels|kube_daemonset_labels|kube_persistentvolumeclaim_info|kube_hpa_labels|kube_configmap_info|kube_secret_info|kube_networkpolicy_labels|kube_node_info|kube_pod_status_qos_class|kube_pod_container_status_last_terminated_exitcode"
action = "keep"
}
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Node Exporter
@@ -711,8 +763,13 @@
separator = "@"
regex = "node_filesystem.*@(tempfs)"
action = "drop"
}
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// OpenCost
@@ -747,8 +804,13 @@
source_labels = ["__name__"]
regex = "up|container_cpu_allocation|container_gpu_allocation|container_memory_allocation_bytes|deployment_match_labels|kubecost_cluster_info|kubecost_cluster_management_cost|kubecost_cluster_memory_working_set_bytes|kubecost_http_requests_total|kubecost_http_response_size_bytes|kubecost_http_response_time_seconds|kubecost_load_balancer_cost|kubecost_network_internet_egress_cost|kubecost_network_region_egress_cost|kubecost_network_zone_egress_cost|kubecost_node_is_spot|node_cpu_hourly_cost|node_gpu_count|node_gpu_hourly_cost|node_ram_hourly_cost|node_total_hourly_cost|opencost_build_info|pod_pvc_allocation|pv_hourly_cost|service_selector_labels|statefulSet_match_labels"
action = "keep"
}
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Prometheus Operator PodMonitor objects
@@ -763,8 +825,13 @@
}
prometheus.relabel "podmonitors" {
max_cache_size = 100000
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Prometheus Operator Probe objects
@@ -779,8 +846,13 @@
}
prometheus.relabel "probes" {
max_cache_size = 100000
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Prometheus Operator ServiceMonitor objects
@@ -795,8 +867,13 @@
}
prometheus.relabel "servicemonitors" {
max_cache_size = 100000
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.relabel.metrics_service.receiver]
}
// Metrics Service
@@ -812,8 +889,13 @@
regex = ""
replacement = "suxessit-uibklab"
target_label = "cluster"
}
+ rule {
+ source_labels = ["namespace"]
+ regex = "^kube-system$"
+ action = "drop"
+ }
forward_to = [prometheus.remote_write.metrics_service.receiver]
}
prometheus.remote_write "metrics_service" {
@@ -939,32 +1021,8 @@
rule_selector {
match_labels = {}
}
}
-
- discovery.relabel "coredns" {
- targets = discovery.kubernetes.pods.targets
- rule {
- source_labels = ["__meta_kubernetes_pod_label_k8s_app"]
- regex = "kube-dns"
- action = "keep"
- }
- rule {
- source_labels = ["__meta_kubernetes_pod_container_port_number"]
- regex = "9153"
- action = "keep"
- }
- rule {
- source_labels = ["__meta_kubernetes_pod_name"]
- target_label = "instance"
- }
- }
- prometheus.scrape "coredns" {
- job_name = "integrations/coredns"
- targets = discovery.relabel.coredns.output
- honor_labels = true
- forward_to = [prometheus.relabel.metrics_service.receiver]
- }
events.alloy: |-
// Cluster Events
loki.source.kubernetes_events "cluster_events" {
job_name = "integrations/kubernetes/eventhandler"
@@ -1178,10 +1236,10 @@
namespace: default
labels:
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "release-name"
- app.kubernetes.io/version: 2.8.4
- helm.sh/chart: "k8s-monitoring-1.6.1"
+ app.kubernetes.io/version: 2.8.5
+ helm.sh/chart: "k8s-monitoring-1.6.4"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
diff -U 4 -r out/target/k8s-monitoring/values-uibklab.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/tests/test.yaml out/pr/k8s-monitoring/values-uibklab.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/tests/test.yaml
--- out/target/k8s-monitoring/values-uibklab.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/tests/test.yaml 2024-11-22 16:44:56.028280184 +0000
+++ out/pr/k8s-monitoring/values-uibklab.yaml/sx-k8s-monitoring/charts/k8s-monitoring/templates/tests/test.yaml 2024-11-22 16:44:24.572455829 +0000
@@ -7,10 +7,10 @@
namespace: default
labels:
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "release-name"
- app.kubernetes.io/version: 2.8.4
- helm.sh/chart: "k8s-monitoring-1.6.1"
+ app.kubernetes.io/version: 2.8.5
+ helm.sh/chart: "k8s-monitoring-1.6.4"
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-1"
@@ -69,10 +69,10 @@
namespace: default
labels:
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "release-name"
- app.kubernetes.io/version: 2.8.4
- helm.sh/chart: "k8s-monitoring-1.6.1"
+ app.kubernetes.io/version: 2.8.5
+ helm.sh/chart: "k8s-monitoring-1.6.4"
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation
"helm.sh/hook-weight": "0"
@@ -81,9 +81,9 @@
nodeSelector:
kubernetes.io/os: linux
containers:
- name: config-analysis
- image: ghcr.io/grafana/k8s-monitoring-test:1.6.1
+ image: ghcr.io/grafana/k8s-monitoring-test:1.6.4
command: [/etc/bin/config-analysis.sh]
env:
- name: ALLOY_HOST
value: release-name-alloy.default.svc:12345
@@ -96,10 +96,10 @@
namespace: default
labels:
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "release-name"
- app.kubernetes.io/version: 2.8.4
- helm.sh/chart: "k8s-monitoring-1.6.1"
+ app.kubernetes.io/version: 2.8.5
+ helm.sh/chart: "k8s-monitoring-1.6.4"
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation
"helm.sh/hook-weight": "0"
@@ -113,16 +113,16 @@
namespace: default
labels:
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "release-name"
- helm.sh/chart: "k8s-monitoring-1.6.1"
+ helm.sh/chart: "k8s-monitoring-1.6.4"
spec:
restartPolicy: Never
nodeSelector:
kubernetes.io/os: linux
containers:
- name: query-test
- image: ghcr.io/grafana/k8s-monitoring-test:1.6.1
+ image: ghcr.io/grafana/k8s-monitoring-test:1.6.4
command: ["bash", "-c", "/etc/bin/query-test.sh /etc/test/testQueries.json"]
volumeMounts:
- name: test-files
mountPath: /etc/test
diff -U 4 -r out/target/keycloak/values-k3d.yaml/sx-keycloak/templates/cp-keycloak-default-clientscopes-vault.yaml out/pr/keycloak/values-k3d.yaml/sx-keycloak/templates/cp-keycloak-default-clientscopes-vault.yaml
--- out/target/keycloak/values-k3d.yaml/sx-keycloak/templates/cp-keycloak-default-clientscopes-vault.yaml 2024-11-22 16:44:57.288273908 +0000
+++ out/pr/keycloak/values-k3d.yaml/sx-keycloak/templates/cp-keycloak-default-clientscopes-vault.yaml 2024-11-22 16:44:25.800450280 +0000
@@ -17,8 +17,9 @@
- roles
- web-origins
- groups
- acr
+ - openid
realmIdRef:
name: sx-cnp-oss
providerConfigRef:
name: "release-name-config"
diff -U 4 -r out/target/keycloak/values-k3d.yaml/sx-keycloak/templates/cp-provider.yaml out/pr/keycloak/values-k3d.yaml/sx-keycloak/templates/cp-provider.yaml
--- out/target/keycloak/values-k3d.yaml/sx-keycloak/templates/cp-provider.yaml 2024-11-22 16:44:57.288273908 +0000
+++ out/pr/keycloak/values-k3d.yaml/sx-keycloak/templates/cp-provider.yaml 2024-11-22 16:44:25.804450261 +0000
@@ -7,5 +7,5 @@
name: provider-keycloak
annotations:
argocd.argoproj.io/sync-wave: "-10"
spec:
- package: xpkg.upbound.io/crossplane-contrib/provider-keycloak:v1.6.0
+ package: xpkg.upbound.io/crossplane-contrib/provider-keycloak:v1.7.0
diff -U 4 -r out/target/keycloak/values-uibklab.yaml/sx-keycloak/templates/cp-keycloak-default-clientscopes-vault.yaml out/pr/keycloak/values-uibklab.yaml/sx-keycloak/templates/cp-keycloak-default-clientscopes-vault.yaml
--- out/target/keycloak/values-uibklab.yaml/sx-keycloak/templates/cp-keycloak-default-clientscopes-vault.yaml 2024-11-22 16:44:57.332273713 +0000
+++ out/pr/keycloak/values-uibklab.yaml/sx-keycloak/templates/cp-keycloak-default-clientscopes-vault.yaml 2024-11-22 16:44:25.844450079 +0000
@@ -17,8 +17,9 @@
- roles
- web-origins
- groups
- acr
+ - openid
realmIdRef:
name: sx-cnp-oss
providerConfigRef:
name: "release-name-config"
diff -U 4 -r out/target/keycloak/values-uibklab.yaml/sx-keycloak/templates/cp-provider.yaml out/pr/keycloak/values-uibklab.yaml/sx-keycloak/templates/cp-provider.yaml
--- out/target/keycloak/values-uibklab.yaml/sx-keycloak/templates/cp-provider.yaml 2024-11-22 16:44:57.336273696 +0000
+++ out/pr/keycloak/values-uibklab.yaml/sx-keycloak/templates/cp-provider.yaml 2024-11-22 16:44:25.848450061 +0000
@@ -7,5 +7,5 @@
name: provider-keycloak
annotations:
argocd.argoproj.io/sync-wave: "-10"
spec:
- package: xpkg.upbound.io/crossplane-contrib/provider-keycloak:v1.6.0
+ package: xpkg.upbound.io/crossplane-contrib/provider-keycloak:v1.7.0
Only in out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io: kyverno.io_admissionreports.yaml
Only in out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io: kyverno.io_backgroundscanreports.yaml
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml 2024-11-22 16:44:59.708263235 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml 2024-11-22 16:44:28.388438499 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: cleanuppolicies.kyverno.io
spec:
group: kyverno.io
names:
@@ -157,8 +157,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -182,8 +193,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -193,8 +209,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET or POST).
+ Defaults to GET.
enum:
- GET
- POST
type: string
@@ -208,8 +225,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP headers
+ to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -253,8 +286,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -326,15 +361,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -349,422 +390,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
- required:
- - kind
- - name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- any:
- description: Any allows specifying resources which will be ORed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
+ not:
required:
- - kind
- name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- type: object
- match:
- description: |-
- MatchResources defines when cleanuppolicy should be applied. The match
- criteria can include resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the user name or role.
- At least one kind is required.
- properties:
- all:
- description: All allows specifying resources which will be ANDed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -824,13 +455,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -894,13 +527,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -966,813 +601,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
- required:
- - kind
- - name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- type: object
- schedule:
- description: The schedule in Cron format
- type: string
- required:
- - schedule
- type: object
- status:
- description: Status contains policy runtime data.
- properties:
- conditions:
- items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- lastExecutionTime:
- format: date-time
- type: string
- type: object
- required:
- - spec
- type: object
- served: true
- storage: false
- subresources:
- status: {}
- - additionalPrinterColumns:
- - jsonPath: .spec.schedule
- name: Schedule
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v2alpha1
- schema:
- openAPIV3Schema:
- description: CleanupPolicy defines a rule for resource cleanup.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Spec declares policy behaviors.
- properties:
- conditions:
- description: Conditions defines the conditions used to select the
- resources which will be cleaned up.
- properties:
- all:
- description: |-
- AllConditions enable variable-based conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition can reference object data
- using JMESPath notation.
- Here, all of the conditions need to pass.
- items:
- properties:
- key:
- description: Key is the context entry (using JMESPath) for
- conditional rule evaluation.
- x-kubernetes-preserve-unknown-fields: true
- message:
- description: Message is an optional display message
- type: string
- operator:
- description: |-
- Operator is the conditional operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan
- enum:
- - Equals
- - NotEquals
- - AnyIn
- - AllIn
- - AnyNotIn
- - AllNotIn
- - GreaterThanOrEquals
- - GreaterThan
- - LessThanOrEquals
- - LessThan
- - DurationGreaterThanOrEquals
- - DurationGreaterThan
- - DurationLessThanOrEquals
- - DurationLessThan
- type: string
- value:
- description: |-
- Value is the conditional value, or set of values. The values can be fixed set
- or can be variables declared using JMESPath.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: array
- any:
- description: |-
- AnyConditions enable variable-based conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition can reference object data
- using JMESPath notation.
- Here, at least one of the conditions need to pass.
- items:
- properties:
- key:
- description: Key is the context entry (using JMESPath) for
- conditional rule evaluation.
- x-kubernetes-preserve-unknown-fields: true
- message:
- description: Message is an optional display message
- type: string
- operator:
- description: |-
- Operator is the conditional operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan
- enum:
- - Equals
- - NotEquals
- - AnyIn
- - AllIn
- - AnyNotIn
- - AllNotIn
- - GreaterThanOrEquals
- - GreaterThan
- - LessThanOrEquals
- - LessThan
- - DurationGreaterThanOrEquals
- - DurationGreaterThan
- - DurationLessThanOrEquals
- - DurationLessThan
- type: string
- value:
- description: |-
- Value is the conditional value, or set of values. The values can be fixed set
- or can be variables declared using JMESPath.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: array
- type: object
- context:
- description: Context defines variables and data sources that can be
- used during rule execution.
- items:
- description: |-
- ContextEntry adds variables and data sources to a rule Context. Either a
- ConfigMap reference or a APILookup must be provided.
- properties:
- apiCall:
- description: |-
- APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
- The data returned is stored in the context with the name for the context entry.
- properties:
- data:
- description: |-
- The data object specifies the POST data sent to the server.
- Only applicable when the method field is set to POST.
- items:
- description: RequestData contains the HTTP POST data
- properties:
- key:
- description: Key is a unique identifier for the data
- value
- type: string
- value:
- description: Value is the data value
- x-kubernetes-preserve-unknown-fields: true
- required:
- - key
- - value
- type: object
- type: array
- jmesPath:
- description: |-
- JMESPath is an optional JSON Match Expression that can be used to
- transform the JSON response returned from the server. For example
- a JMESPath of "items | length(@)" applied to the API server response
- for the URLPath "/apis/apps/v1/deployments" will return the total count
- of deployments across all namespaces.
- type: string
- method:
- default: GET
- description: Method is the HTTP request type (GET or POST).
- enum:
- - GET
- - POST
- type: string
- service:
- description: |-
- Service is an API call to a JSON web service.
- This is used for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath field.
- properties:
- caBundle:
- description: |-
- CABundle is a PEM encoded CA bundle which will be used to validate
- the server certificate.
- type: string
- url:
- description: |-
- URL is the JSON web service URL. A typical form is
- `https://{service}.{namespace}:{port}/{path}`.
- type: string
- required:
- - url
- type: object
- urlPath:
- description: |-
- URLPath is the URL path to be used in the HTTP GET or POST request to the
- Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the `kubectl get --raw` command.
- See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details.
- It's mutually exclusive with the Service field.
- type: string
- type: object
- configMap:
- description: ConfigMap is the ConfigMap reference.
- properties:
- name:
- description: Name is the ConfigMap name.
- type: string
- namespace:
- description: Namespace is the ConfigMap namespace.
- type: string
- required:
- - name
- type: object
- globalReference:
- description: GlobalContextEntryReference is a reference to a
- cached global context entry.
- properties:
- jmesPath:
- description: |-
- JMESPath is an optional JSON Match Expression that can be used to
- transform the JSON response returned from the server. For example
- a JMESPath of "items | length(@)" applied to the API server response
- for the URLPath "/apis/apps/v1/deployments" will return the total count
- of deployments across all namespaces.
- type: string
- name:
- description: Name of the global context entry
- type: string
- type: object
- imageRegistry:
- description: |-
- ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
- details.
- properties:
- imageRegistryCredentials:
- description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
- properties:
- allowInsecureRegistry:
- description: AllowInsecureRegistry allows insecure access
- to a registry.
- type: boolean
- providers:
- description: |-
- Providers specifies a list of OCI Registry names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.
- items:
- description: ImageRegistryCredentialsProvidersType
- provides the list of credential providers required.
- enum:
- - default
- - amazon
- - azure
- - google
- - github
- type: string
- type: array
- secrets:
- description: |-
- Secrets specifies a list of secrets that are provided for credentials.
- Secrets must live in the Kyverno namespace.
- items:
- type: string
- type: array
- type: object
- jmesPath:
- description: |-
- JMESPath is an optional JSON Match Expression that can be used to
- transform the ImageData struct returned as a result of processing
- the image reference.
- type: string
- reference:
- description: |-
- Reference is image reference to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest
- type: string
- required:
- - reference
- type: object
- name:
- description: Name is the variable name.
- type: string
- variable:
- description: Variable defines an arbitrary JMESPath context
- variable that can be defined inline.
- properties:
- default:
- description: |-
- Default is an optional arbitrary JSON object that the variable may take if the JMESPath
- expression evaluates to nil
- x-kubernetes-preserve-unknown-fields: true
- jmesPath:
- description: |-
- JMESPath is an optional JMESPath Expression that can be used to
- transform the variable.
- type: string
- value:
- description: Value is any arbitrary JSON object representable
- in YAML or JSON form.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- exclude:
- description: |-
- ExcludeResources defines when cleanuppolicy should not be applied. The exclude
- criteria can include resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the name or role.
- properties:
- all:
- description: All allows specifying resources which will be ANDed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
+ not:
required:
- - kind
- name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- any:
- description: Any allows specifying resources which will be ORed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1832,13 +666,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1902,13 +738,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1966,8 +804,12 @@
MatchResources defines when cleanuppolicy should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -1982,8 +824,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -2043,13 +889,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2113,13 +961,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2185,8 +1035,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -2246,13 +1100,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2316,13 +1172,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2378,25 +1236,18 @@
schedule:
description: The schedule in Cron format
type: string
required:
+ - match
- schedule
type: object
status:
description: Status contains policy runtime data.
properties:
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -2435,14 +1286,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -2459,10 +1305,10 @@
type: object
required:
- spec
type: object
- served: false
- storage: false
+ served: true
+ storage: true
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.schedule
@@ -2470,8 +1316,9 @@
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ deprecated: true
name: v2beta1
schema:
openAPIV3Schema:
description: CleanupPolicy defines a rule for resource cleanup.
@@ -2595,8 +1442,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -2620,8 +1478,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -2631,8 +1494,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET or POST).
+ Defaults to GET.
enum:
- GET
- POST
type: string
@@ -2646,8 +1510,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP headers
+ to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -2691,8 +1571,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -2764,15 +1646,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -2787,8 +1675,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -2848,13 +1740,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2918,13 +1812,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2990,8 +1886,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -3051,13 +1951,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3121,13 +2023,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3185,8 +2089,12 @@
MatchResources defines when cleanuppolicy should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -3201,8 +2109,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -3262,13 +2174,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3332,13 +2246,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3404,8 +2320,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -3465,13 +2385,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3535,13 +2457,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3597,25 +2521,18 @@
schedule:
description: The schedule in Cron format
type: string
required:
+ - match
- schedule
type: object
status:
description: Status contains policy runtime data.
properties:
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -3654,14 +2571,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -3679,7 +2591,7 @@
required:
- spec
type: object
served: true
- storage: true
+ storage: false
subresources:
status: {}
Only in out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io: kyverno.io_clusteradmissionreports.yaml
Only in out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io: kyverno.io_clusterbackgroundscanreports.yaml |
Changes Rendered Chartdiff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml 2024-11-22 16:44:59.708263235 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml 2024-11-22 16:44:28.388438499 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: clustercleanuppolicies.kyverno.io
spec:
group: kyverno.io
names:
@@ -157,8 +157,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -182,8 +193,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -193,8 +209,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET or POST).
+ Defaults to GET.
enum:
- GET
- POST
type: string
@@ -208,8 +225,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP headers
+ to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -253,8 +286,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -326,15 +361,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -349,422 +390,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
- required:
- - kind
- - name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- any:
- description: Any allows specifying resources which will be ORed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
+ not:
required:
- - kind
- name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- type: object
- match:
- description: |-
- MatchResources defines when cleanuppolicy should be applied. The match
- criteria can include resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the user name or role.
- At least one kind is required.
- properties:
- all:
- description: All allows specifying resources which will be ANDed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -824,13 +455,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -894,13 +527,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -966,813 +601,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
- required:
- - kind
- - name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- type: object
- schedule:
- description: The schedule in Cron format
- type: string
- required:
- - schedule
- type: object
- status:
- description: Status contains policy runtime data.
- properties:
- conditions:
- items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- lastExecutionTime:
- format: date-time
- type: string
- type: object
- required:
- - spec
- type: object
- served: true
- storage: false
- subresources:
- status: {}
- - additionalPrinterColumns:
- - jsonPath: .spec.schedule
- name: Schedule
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v2alpha1
- schema:
- openAPIV3Schema:
- description: ClusterCleanupPolicy defines rule for resource cleanup.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Spec declares policy behaviors.
- properties:
- conditions:
- description: Conditions defines the conditions used to select the
- resources which will be cleaned up.
- properties:
- all:
- description: |-
- AllConditions enable variable-based conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition can reference object data
- using JMESPath notation.
- Here, all of the conditions need to pass.
- items:
- properties:
- key:
- description: Key is the context entry (using JMESPath) for
- conditional rule evaluation.
- x-kubernetes-preserve-unknown-fields: true
- message:
- description: Message is an optional display message
- type: string
- operator:
- description: |-
- Operator is the conditional operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan
- enum:
- - Equals
- - NotEquals
- - AnyIn
- - AllIn
- - AnyNotIn
- - AllNotIn
- - GreaterThanOrEquals
- - GreaterThan
- - LessThanOrEquals
- - LessThan
- - DurationGreaterThanOrEquals
- - DurationGreaterThan
- - DurationLessThanOrEquals
- - DurationLessThan
- type: string
- value:
- description: |-
- Value is the conditional value, or set of values. The values can be fixed set
- or can be variables declared using JMESPath.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: array
- any:
- description: |-
- AnyConditions enable variable-based conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition can reference object data
- using JMESPath notation.
- Here, at least one of the conditions need to pass.
- items:
- properties:
- key:
- description: Key is the context entry (using JMESPath) for
- conditional rule evaluation.
- x-kubernetes-preserve-unknown-fields: true
- message:
- description: Message is an optional display message
- type: string
- operator:
- description: |-
- Operator is the conditional operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan
- enum:
- - Equals
- - NotEquals
- - AnyIn
- - AllIn
- - AnyNotIn
- - AllNotIn
- - GreaterThanOrEquals
- - GreaterThan
- - LessThanOrEquals
- - LessThan
- - DurationGreaterThanOrEquals
- - DurationGreaterThan
- - DurationLessThanOrEquals
- - DurationLessThan
- type: string
- value:
- description: |-
- Value is the conditional value, or set of values. The values can be fixed set
- or can be variables declared using JMESPath.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: array
- type: object
- context:
- description: Context defines variables and data sources that can be
- used during rule execution.
- items:
- description: |-
- ContextEntry adds variables and data sources to a rule Context. Either a
- ConfigMap reference or a APILookup must be provided.
- properties:
- apiCall:
- description: |-
- APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
- The data returned is stored in the context with the name for the context entry.
- properties:
- data:
- description: |-
- The data object specifies the POST data sent to the server.
- Only applicable when the method field is set to POST.
- items:
- description: RequestData contains the HTTP POST data
- properties:
- key:
- description: Key is a unique identifier for the data
- value
- type: string
- value:
- description: Value is the data value
- x-kubernetes-preserve-unknown-fields: true
- required:
- - key
- - value
- type: object
- type: array
- jmesPath:
- description: |-
- JMESPath is an optional JSON Match Expression that can be used to
- transform the JSON response returned from the server. For example
- a JMESPath of "items | length(@)" applied to the API server response
- for the URLPath "/apis/apps/v1/deployments" will return the total count
- of deployments across all namespaces.
- type: string
- method:
- default: GET
- description: Method is the HTTP request type (GET or POST).
- enum:
- - GET
- - POST
- type: string
- service:
- description: |-
- Service is an API call to a JSON web service.
- This is used for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath field.
- properties:
- caBundle:
- description: |-
- CABundle is a PEM encoded CA bundle which will be used to validate
- the server certificate.
- type: string
- url:
- description: |-
- URL is the JSON web service URL. A typical form is
- `https://{service}.{namespace}:{port}/{path}`.
- type: string
- required:
- - url
- type: object
- urlPath:
- description: |-
- URLPath is the URL path to be used in the HTTP GET or POST request to the
- Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the `kubectl get --raw` command.
- See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details.
- It's mutually exclusive with the Service field.
- type: string
- type: object
- configMap:
- description: ConfigMap is the ConfigMap reference.
- properties:
- name:
- description: Name is the ConfigMap name.
- type: string
- namespace:
- description: Namespace is the ConfigMap namespace.
- type: string
- required:
- - name
- type: object
- globalReference:
- description: GlobalContextEntryReference is a reference to a
- cached global context entry.
- properties:
- jmesPath:
- description: |-
- JMESPath is an optional JSON Match Expression that can be used to
- transform the JSON response returned from the server. For example
- a JMESPath of "items | length(@)" applied to the API server response
- for the URLPath "/apis/apps/v1/deployments" will return the total count
- of deployments across all namespaces.
- type: string
- name:
- description: Name of the global context entry
- type: string
- type: object
- imageRegistry:
- description: |-
- ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
- details.
- properties:
- imageRegistryCredentials:
- description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
- properties:
- allowInsecureRegistry:
- description: AllowInsecureRegistry allows insecure access
- to a registry.
- type: boolean
- providers:
- description: |-
- Providers specifies a list of OCI Registry names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.
- items:
- description: ImageRegistryCredentialsProvidersType
- provides the list of credential providers required.
- enum:
- - default
- - amazon
- - azure
- - google
- - github
- type: string
- type: array
- secrets:
- description: |-
- Secrets specifies a list of secrets that are provided for credentials.
- Secrets must live in the Kyverno namespace.
- items:
- type: string
- type: array
- type: object
- jmesPath:
- description: |-
- JMESPath is an optional JSON Match Expression that can be used to
- transform the ImageData struct returned as a result of processing
- the image reference.
- type: string
- reference:
- description: |-
- Reference is image reference to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest
- type: string
- required:
- - reference
- type: object
- name:
- description: Name is the variable name.
- type: string
- variable:
- description: Variable defines an arbitrary JMESPath context
- variable that can be defined inline.
- properties:
- default:
- description: |-
- Default is an optional arbitrary JSON object that the variable may take if the JMESPath
- expression evaluates to nil
- x-kubernetes-preserve-unknown-fields: true
- jmesPath:
- description: |-
- JMESPath is an optional JMESPath Expression that can be used to
- transform the variable.
- type: string
- value:
- description: Value is any arbitrary JSON object representable
- in YAML or JSON form.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- exclude:
- description: |-
- ExcludeResources defines when cleanuppolicy should not be applied. The exclude
- criteria can include resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the name or role.
- properties:
- all:
- description: All allows specifying resources which will be ANDed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
+ not:
required:
- - kind
- name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- any:
- description: Any allows specifying resources which will be ORed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1832,13 +666,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1902,13 +738,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1966,8 +804,12 @@
MatchResources defines when cleanuppolicy should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -1982,8 +824,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -2043,13 +889,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2113,13 +961,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2185,8 +1035,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -2246,13 +1100,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2316,13 +1172,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2378,25 +1236,18 @@
schedule:
description: The schedule in Cron format
type: string
required:
+ - match
- schedule
type: object
status:
description: Status contains policy runtime data.
properties:
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -2435,14 +1286,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -2459,10 +1305,10 @@
type: object
required:
- spec
type: object
- served: false
- storage: false
+ served: true
+ storage: true
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.schedule
@@ -2470,8 +1316,9 @@
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ deprecated: true
name: v2beta1
schema:
openAPIV3Schema:
description: ClusterCleanupPolicy defines rule for resource cleanup.
@@ -2595,8 +1442,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -2620,8 +1478,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -2631,8 +1494,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET or POST).
+ Defaults to GET.
enum:
- GET
- POST
type: string
@@ -2646,8 +1510,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP headers
+ to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -2691,8 +1571,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -2764,15 +1646,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -2787,8 +1675,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -2848,13 +1740,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2918,13 +1812,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2990,8 +1886,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -3051,13 +1951,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3121,13 +2023,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3185,8 +2089,12 @@
MatchResources defines when cleanuppolicy should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -3201,8 +2109,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -3262,13 +2174,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3332,13 +2246,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3404,8 +2320,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -3465,13 +2385,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3535,13 +2457,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3597,25 +2521,18 @@
schedule:
description: The schedule in Cron format
type: string
required:
+ - match
- schedule
type: object
status:
description: Status contains policy runtime data.
properties:
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -3654,14 +2571,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -3679,7 +2591,7 @@
required:
- spec
type: object
served: true
- storage: true
+ storage: false
subresources:
status: {} |
Changes Rendered Chartdiff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml 2024-11-22 16:44:59.712263217 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml 2024-11-22 16:44:28.388438499 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: clusterpolicies.kyverno.io
spec:
group: kyverno.io
names:
@@ -32,11 +32,8 @@
type: boolean
- jsonPath: .spec.background
name: BACKGROUND
type: boolean
- - jsonPath: .spec.validationFailureAction
- name: VALIDATE ACTION
- type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
@@ -113,31 +110,31 @@
Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
- failurePolicy:
+ emitWarning:
+ default: false
description: |-
- FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
- Rules within the same policy share the same failure behavior.
- This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
- Allowed values are Ignore or Fail. Defaults to Fail.
+ EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit.
+ Enabling this option will extend admission request processing times. The default value is "false".
+ type: boolean
+ failurePolicy:
+ description: Deprecated, use failurePolicy under the webhookConfiguration
+ instead.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: |-
- GenerateExisting controls whether to trigger generate rule in existing resources
- If is set to "true" generate rule will be triggered and applied to existing matched resources.
- Defaults to "false" if not specified.
+ description: Deprecated, use generateExisting under the generate rule
+ instead
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: |-
- MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
- Default value is "false".
+ description: Deprecated, use mutateExistingOnPolicyUpdate under the
+ mutate rule instead
type: boolean
rules:
description: |-
Rules is a list of Rule instances. A Policy contains multiple rules and
@@ -153,16 +150,15 @@
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
- by fulfilled for a request to be sent to a webhook.
+ be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -170,9 +166,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -183,9 +178,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -198,8 +192,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -224,8 +229,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -235,9 +245,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -251,8 +261,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP
+ headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -296,8 +322,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -370,15 +398,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -394,8 +428,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -456,13 +494,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -527,13 +567,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -600,8 +642,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -662,13 +708,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -733,13 +781,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -802,8 +852,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -863,13 +917,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -933,13 +989,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1051,13 +1109,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1073,8 +1133,453 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list of
+ sub-elements by creating a context for each entry in the
+ list and looping over it to apply the specified logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data sources
+ that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains the
+ HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference is
+ a reference to a cached global context entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials provides
+ credentials that will be used for authentication
+ with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry allows
+ insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary JMESPath
+ context variable that can be defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary JSON
+ object representable in YAML or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -1146,8 +1651,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -1163,8 +1672,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1225,13 +1738,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1296,13 +1811,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1369,8 +1886,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1431,13 +1952,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1502,13 +2025,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1571,8 +2096,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1632,13 +2161,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1702,13 +2233,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1778,8 +2311,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -1804,8 +2348,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -1815,9 +2364,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -1831,8 +2380,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -1878,8 +2446,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -1953,8 +2523,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach iterator
@@ -2090,8 +2662,12 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if the
+ mutateExisting rule will be applied on policy events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -2118,8 +2694,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -2144,8 +2731,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -2155,9 +2747,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -2171,8 +2763,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -2218,8 +2829,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -2293,8 +2906,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -2312,8 +2927,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -2331,8 +2994,14 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ reportProperties:
+ additionalProperties:
+ type: string
+ description: ReportProperties are the additional properties
+ from the rule that will be added to the policy report result
+ type: object
skipBackgroundRequests:
default: true
description: |-
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
@@ -2341,13 +3010,22 @@
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
+ allowExistingViolations:
+ default: true
+ description: AllowExistingViolations allows prexisting violating
+ resources to continue violating a policy.
+ type: boolean
anyPattern:
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -2364,21 +3042,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -2390,15 +3065,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -2416,9 +3089,9 @@
description: "Expression represents the expression
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents of the
API request/response, organized into CEL variables
- as well as some other useful variables:\n\n\n-
+ as well as some other useful variables:\n\n-
'object' - The object from the incoming request.
The value is null for DELETE requests.\n- 'oldObject'
- The existing object. The value is null for
CREATE requests.\n- 'request' - Attributes of
@@ -2436,12 +3109,12 @@
checks for the principal (user or service account)
of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names are
escaped according to the following rules when
accessed in the expression:\n- '__' escapes
@@ -2459,9 +3132,9 @@
\ - Expression accessing a property named \"x-prop\":
{\"Expression\": \"object.x__dash__prop > 0\"}\n
\ - Expression accessing a property named \"redact__d\":
{\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list type
+ > 0\"}\n\nEquality on arrays with list type
of 'set' or 'map' ignores element order, i.e.
[1, 2] == [2, 1].\nConcatenation on arrays with
x-kubernetes-list-type use the semantics of
the list type:\n - 'set': `X + Y` performs
@@ -2533,29 +3206,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -2568,22 +3241,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -2612,13 +3283,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2636,9 +3309,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is defined
+ as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -2653,8 +3327,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -2667,8 +3342,89 @@
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the policy
+ validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
list and looping over it to apply the specified logic.
@@ -2689,8 +3445,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -2715,8 +3482,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -2726,9 +3498,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -2742,8 +3514,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -2789,8 +3580,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -2864,8 +3657,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -3071,8 +3866,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -3121,13 +3922,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -3157,8 +3969,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used
+ for keyless signing, for example the
+ email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -3177,8 +3995,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -3234,18 +4058,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -3472,8 +4301,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -3522,13 +4357,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -3558,8 +4404,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -3578,8 +4430,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -3636,19 +4494,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -3763,8 +4625,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type', to
be removed soon
type: string
@@ -3832,8 +4697,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -3881,13 +4752,24 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -3916,8 +4798,14 @@
description: Subject is the verified identity
used for keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used for
+ keyless signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one or more public
keys.
@@ -3936,8 +4824,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -3992,22 +4886,38 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values are
- sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm for
+ public keys. Supported values are sha224,
+ sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
@@ -4091,26 +5001,50 @@
type: string
type:
description: |-
Type specifies the method of signature validation. The allowed options
- are Cosign and Notary. By default Cosign is used if a type is not specified.
+ are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message to
+ be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have a
digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
schemaValidation:
@@ -4123,23 +5057,19 @@
Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: |-
- ValidationFailureAction defines if a validation policy rule violation should block
- the admission review request (enforce), or allow (audit) the admission review request
- and report an error in a policy report. Optional.
- Allowed values are audit or enforce. The default value is "Audit".
+ description: Deprecated, use validationFailureAction under the validate
+ rule instead.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
- description: |-
- ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
- namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+ description: Deprecated, use validationFailureActionOverrides under
+ the validate rule instead.
items:
properties:
action:
description: ValidationFailureAction defines the policy validation
@@ -4181,13 +5111,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4203,14 +5135,25 @@
type: array
type: object
type: array
webhookConfiguration:
- description: |-
- WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
- Requires Kubernetes 1.27 or later.
+ description: WebhookConfiguration specifies the custom configuration
+ for Kubernetes admission webhookconfiguration.
properties:
+ failurePolicy:
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
+ Allowed values are Ignore or Fail. Defaults to Fail.
+ enum:
+ - Ignore
+ - Fail
+ type: string
matchConditions:
- description: MatchCondition configures admission webhook matchConditions.
+ description: |-
+ MatchCondition configures admission webhook matchConditions.
+ Requires Kubernetes 1.27 or later.
items:
```
</details> |
Changes Rendered Chart description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
@@ -4218,9 +5161,8 @@
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -4228,9 +5170,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -4241,22 +5182,26 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
- name
type: object
type: array
+ timeoutSeconds:
+ description: |-
+ TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ format: int32
+ type: integer
type: object
webhookTimeoutSeconds:
- description: |-
- WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
- After the configured time expires, the admission request may fail, or may simply ignore the policy results,
- based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
+ instead.
format: int32
type: integer
type: object
status:
@@ -4279,16 +5224,15 @@
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
- must by fulfilled for a request to be sent to a webhook.
+ must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -4296,9 +5240,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -4309,9 +5252,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -4324,8 +5266,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -4350,8 +5303,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -4361,9 +5319,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -4377,8 +5335,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -4422,8 +5396,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -4497,15 +5473,21 @@
description: Value is any arbitrary JSON object
representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -4521,8 +5503,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -4583,13 +5569,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4655,13 +5643,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4728,8 +5718,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -4790,13 +5784,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4862,13 +5858,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4931,8 +5929,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -4993,13 +5995,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5064,13 +6068,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5185,13 +6191,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5207,8 +6215,461 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list
+ of sub-elements by creating a context for each entry
+ in the list and looping over it to apply the specified
+ logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data
+ sources that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains
+ the HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data
+ value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap
+ reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference
+ is a reference to a cached global context
+ entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials
+ provides credentials that will be
+ used for authentication with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry
+ allows insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary
+ JMESPath context variable that can be
+ defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary
+ JSON object representable in YAML
+ or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -5280,8 +6741,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -5297,8 +6762,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -5359,13 +6828,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5431,13 +6902,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5504,8 +6977,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -5566,13 +7043,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5638,13 +7117,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5707,8 +7188,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -5769,13 +7254,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5840,13 +7327,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5917,8 +7406,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -5944,8 +7444,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -5955,9 +7460,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -5971,8 +7476,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -6020,8 +7544,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -6097,8 +7623,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach
@@ -6237,8 +7765,13 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if
+ the mutateExisting rule will be applied on policy
+ events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -6265,8 +7798,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -6292,8 +7836,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -6303,9 +7852,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -6319,8 +7868,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -6368,8 +7936,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -6445,8 +8015,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -6464,8 +8036,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -6483,8 +8103,15 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ reportProperties:
+ additionalProperties:
+ type: string
+ description: ReportProperties are the additional properties
+ from the rule that will be added to the policy report
+ result
+ type: object
skipBackgroundRequests:
default: true
description: |-
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
@@ -6493,13 +8120,23 @@
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
+ allowExistingViolations:
+ default: true
+ description: AllowExistingViolations allows prexisting
+ violating resources to continue violating a policy.
+ type: boolean
anyPattern:
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion
+ tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -6516,21 +8153,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -6542,15 +8176,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -6569,14 +8201,14 @@
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables:\n\n\n- 'object' - The object
- from the incoming request. The value is
- null for DELETE requests.\n- 'oldObject'
- - The existing object. The value is null
- for CREATE requests.\n- 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ variables:\n\n- 'object' - The object from
+ the incoming request. The value is null
+ for DELETE requests.\n- 'oldObject' - The
+ existing object. The value is null for CREATE
+ requests.\n- 'request' - Attributes of the
+ API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
'params' - Parameter resource referred to
by the policy binding being evaluated. Only
populated if the policy has a ParamKind.\n-
'namespaceObject' - The namespace object
@@ -6591,12 +8223,12 @@
or service account) of the request.\n See
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names
are escaped according to the following rules
when accessed in the expression:\n- '__'
@@ -6615,10 +8247,10 @@
> 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
> 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list
- type of 'set' or 'map' ignores element order,
+ > 0\"}\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order,
i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
semantics of the list type:\n - 'set':
`X + Y` performs a union where the array
@@ -6690,29 +8322,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -6725,22 +8357,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -6769,13 +8399,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -6793,9 +8425,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is
+ defined as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -6810,8 +8443,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or
@@ -6824,8 +8458,89 @@
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the
+ policy validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
in the list and looping over it to apply the specified
@@ -6847,8 +8562,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -6874,8 +8600,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -6885,9 +8616,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -6901,8 +8632,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -6950,8 +8700,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -7027,8 +8779,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -7238,8 +8992,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -7288,13 +9048,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -7324,8 +9095,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -7344,8 +9121,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -7402,19 +9185,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -7642,8 +9429,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -7694,13 +9487,25 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is
+ the regular expression to
+ match certificate issuer used
+ for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -7732,8 +9537,15 @@
verified identity used for
keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is
+ the regular expression to
+ match identity used for keyless
+ signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one
or more public keys.
@@ -7753,8 +9565,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -7813,19 +9631,25 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature
- algorithm for public keys.
- Supported values are sha224,
- sha256, sha384 and sha512.
+ description: Deprecated. Use
+ attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and
+ sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -7940,8 +9764,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type',
to be removed soon
type: string
@@ -8009,8 +9836,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -8059,13 +9892,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -8095,8 +9939,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for example
+ the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -8115,8 +9965,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -8173,22 +10029,38 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ ```
</details> |
Changes Rendered Chart for public keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
@@ -8273,42 +10145,58 @@
type: string
type:
description: |-
Type specifies the method of signature validation. The allowed options
- are Cosign and Notary. By default Cosign is used if a type is not specified.
+ are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message
+ to be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have
a digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
type: object
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -8347,14 +10235,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -8406,10 +10289,8 @@
required:
- generated
- message
type: object
- required:
- - ready
type: object
required:
- spec
type: object
@@ -8423,11 +10304,8 @@
type: boolean
- jsonPath: .spec.background
name: BACKGROUND
type: boolean
- - jsonPath: .spec.validationFailureAction
- name: VALIDATE ACTION
- type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
@@ -8504,30 +10382,31 @@
Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
- failurePolicy:
+ emitWarning:
+ default: false
description: |-
- FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
- Rules within the same policy share the same failure behavior.
- Allowed values are Ignore or Fail. Defaults to Fail.
+ EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit.
+ Enabling this option will extend admission request processing times. The default value is "false".
+ type: boolean
+ failurePolicy:
+ description: Deprecated, use failurePolicy under the webhookConfiguration
+ instead.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: |-
- GenerateExisting controls whether to trigger generate rule in existing resources
- If is set to "true" generate rule will be triggered and applied to existing matched resources.
- Defaults to "false" if not specified.
+ description: Deprecated, use generateExisting under the generate rule
+ instead
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: |-
- MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
- Default value is "false".
+ description: Deprecated, use mutateExistingOnPolicyUpdate under the
+ mutate rule instead
type: boolean
rules:
description: |-
Rules is a list of Rule instances. A Policy contains multiple rules and
@@ -8550,9 +10429,8 @@
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -8560,9 +10438,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -8573,9 +10450,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -8588,8 +10464,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -8614,8 +10501,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -8625,9 +10517,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -8641,8 +10533,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP
+ headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -8686,8 +10594,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -8760,15 +10670,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -8784,8 +10700,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -8846,13 +10766,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -8917,13 +10839,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -8990,8 +10914,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -9052,13 +10980,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9123,13 +11053,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9243,13 +11175,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9265,8 +11199,453 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list of
+ sub-elements by creating a context for each entry in the
+ list and looping over it to apply the specified logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data sources
+ that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains the
+ HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference is
+ a reference to a cached global context entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials provides
+ credentials that will be used for authentication
+ with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry allows
+ insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary JMESPath
+ context variable that can be defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary JSON
+ object representable in YAML or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -9338,8 +11717,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -9355,8 +11738,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -9417,13 +11804,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9488,13 +11877,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9561,8 +11952,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -9623,13 +12018,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9694,13 +12091,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9772,8 +12171,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -9798,8 +12208,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -9809,9 +12224,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -9825,8 +12240,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -9872,8 +12306,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -9947,8 +12383,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach iterator
@@ -10084,8 +12522,12 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if the
+ mutateExisting rule will be applied on policy events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -10112,8 +12554,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -10138,8 +12591,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -10149,9 +12607,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -10165,8 +12623,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -10212,8 +12689,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -10287,8 +12766,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -10306,8 +12787,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -10427,8 +12956,12 @@
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -10445,21 +12978,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -10471,15 +13001,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -10497,9 +13025,9 @@
description: "Expression represents the expression
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents of the
API request/response, organized into CEL variables
- as well as some other useful variables:\n\n\n-
+ as well as some other useful variables:\n\n-
'object' - The object from the incoming request.
The value is null for DELETE requests.\n- 'oldObject'
- The existing object. The value is null for
CREATE requests.\n- 'request' - Attributes of
@@ -10517,12 +13045,12 @@
checks for the principal (user or service account)
of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names are
escaped according to the following rules when
accessed in the expression:\n- '__' escapes
@@ -10540,9 +13068,9 @@
\ - Expression accessing a property named \"x-prop\":
{\"Expression\": \"object.x__dash__prop > 0\"}\n
\ - Expression accessing a property named \"redact__d\":
{\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list type
+ > 0\"}\n\nEquality on arrays with list type
of 'set' or 'map' ignores element order, i.e.
[1, 2] == [2, 1].\nConcatenation on arrays with
x-kubernetes-list-type use the semantics of
the list type:\n - 'set': `X + Y` performs
@@ -10614,29 +13142,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -10649,22 +13177,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -10693,13 +13219,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -10717,9 +13245,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is defined
+ as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -10734,8 +13263,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -10837,8 +13367,89 @@
type: object
type: array
type: object
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the policy
+ validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
list and looping over it to apply the specified logic.
@@ -10859,8 +13470,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -10885,8 +13507,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -10896,9 +13523,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -10912,8 +13539,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -10959,8 +13605,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -11034,8 +13682,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -11241,8 +13891,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -11291,13 +13947,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -11327,8 +13994,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used
+ for keyless signing, for example the
+ email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -11347,8 +14020,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -11404,18 +14083,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -11631,8 +14315,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -11681,13 +14371,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -11717,8 +14418,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -11737,8 +14444,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -11795,19 +14508,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -11922,8 +14639,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type', to
be removed soon
type: string
@@ -11991,8 +14711,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -12040,13 +14766,24 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -12075,8 +14812,14 @@
description: Subject is the verified identity
used for keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used for
+ keyless signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one or more public
keys.
@@ -12095,8 +14838,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -12151,22 +14900,33 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values are
- sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm for
+ public keys. Supported values are sha224,
+ sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
imageReferences:
description: |-
ImageReferences is a list of matching image reference patterns. At least one pattern in the
list must match the image for the rule to apply. Each image reference consists of a registry
@@ -12238,23 +14998,47 @@
Type specifies the method of signature validation. The allowed options
are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message to
+ be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have a
digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
schemaValidation:
@@ -12267,23 +15051,19 @@
Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: |-
- ValidationFailureAction defines if a validation policy rule violation should block
- the admission review request (enforce), or allow (audit) the admission review request
- and report an error in a policy report. Optional.
- Allowed values are audit or enforce. The default value is "Audit".
+ description: Deprecated, use validationFailureAction under the validate
+ rule instead.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
- description: |-
- ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
- namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+ description: Deprecated, use validationFailureActionOverrides under
+ the validate rule instead.
items:
properties:
action:
description: ValidationFailureAction defines the policy validation
@@ -12325,13 +15105,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -12347,14 +15129,25 @@
type: array
type: object
type: array
webhookConfiguration:
- description: |-
- WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
- Requires Kubernetes 1.27 or later.
+ description: WebhookConfiguration specifies the custom configuration
+ for Kubernetes admission webhookconfiguration.
properties:
+ failurePolicy:
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
+ Allowed values are Ignore or Fail. Defaults to Fail.
+ enum:
+ - Ignore
+ - Fail
+ type: string
matchConditions:
- description: MatchCondition configures admission webhook matchConditions.
+ description: |-
+ MatchCondition configures admission webhook matchConditions.
+ Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
@@ -12362,9 +15155,8 @@
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -12372,9 +15164,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
```
</details> |
Changes Rendered Chart name:
description: |-
@@ -12385,22 +15176,26 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
- name
type: object
type: array
+ timeoutSeconds:
+ description: |-
+ TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ format: int32
+ type: integer
type: object
webhookTimeoutSeconds:
- description: |-
- WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
- After the configured time expires, the admission request may fail, or may simply ignore the policy results,
- based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
+ instead.
format: int32
type: integer
type: object
status:
@@ -12423,16 +15218,15 @@
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
- must by fulfilled for a request to be sent to a webhook.
+ must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -12440,9 +15234,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -12453,9 +15246,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -12468,8 +15260,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -12494,8 +15297,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -12505,9 +15313,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -12521,8 +15329,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -12566,8 +15390,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -12641,15 +15467,21 @@
description: Value is any arbitrary JSON object
representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -12665,8 +15497,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -12727,13 +15563,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -12799,13 +15637,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -12872,8 +15712,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -12934,13 +15778,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13006,13 +15852,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13075,8 +15923,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13137,13 +15989,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13208,13 +16062,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13329,13 +16185,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13351,8 +16209,461 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list
+ of sub-elements by creating a context for each entry
+ in the list and looping over it to apply the specified
+ logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data
+ sources that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains
+ the HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data
+ value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap
+ reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference
+ is a reference to a cached global context
+ entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials
+ provides credentials that will be
+ used for authentication with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry
+ allows insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary
+ JMESPath context variable that can be
+ defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary
+ JSON object representable in YAML
+ or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -13424,8 +16735,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -13441,8 +16756,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13503,13 +16822,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13575,13 +16896,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13648,8 +16971,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13710,13 +17037,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13782,13 +17111,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13851,8 +17182,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13913,13 +17248,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13984,13 +17321,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -14061,8 +17400,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -14088,8 +17438,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -14099,9 +17454,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -14115,8 +17470,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -14164,8 +17538,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -14241,8 +17617,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach
@@ -14381,8 +17759,13 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if
+ the mutateExisting rule will be applied on policy
+ events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -14409,8 +17792,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -14436,8 +17830,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -14447,9 +17846,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -14463,8 +17862,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -14512,8 +17930,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -14589,8 +18009,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -14608,8 +18030,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -14627,8 +18097,15 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ reportProperties:
+ additionalProperties:
+ type: string
+ description: ReportProperties are the additional properties
+ from the rule that will be added to the policy report
+ result
+ type: object
skipBackgroundRequests:
default: true
description: |-
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
@@ -14637,13 +18114,23 @@
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
+ allowExistingViolations:
+ default: true
+ description: AllowExistingViolations allows prexisting
+ violating resources to continue violating a policy.
+ type: boolean
anyPattern:
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion
+ tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -14660,21 +18147,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -14686,15 +18170,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -14713,14 +18195,14 @@
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables:\n\n\n- 'object' - The object
- from the incoming request. The value is
- null for DELETE requests.\n- 'oldObject'
- - The existing object. The value is null
- for CREATE requests.\n- 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ variables:\n\n- 'object' - The object from
+ the incoming request. The value is null
+ for DELETE requests.\n- 'oldObject' - The
+ existing object. The value is null for CREATE
+ requests.\n- 'request' - Attributes of the
+ API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
'params' - Parameter resource referred to
by the policy binding being evaluated. Only
populated if the policy has a ParamKind.\n-
'namespaceObject' - The namespace object
@@ -14735,12 +18217,12 @@
or service account) of the request.\n See
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names
are escaped according to the following rules
when accessed in the expression:\n- '__'
@@ -14759,10 +18241,10 @@
> 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
> 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list
- type of 'set' or 'map' ignores element order,
+ > 0\"}\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order,
i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
semantics of the list type:\n - 'set':
`X + Y` performs a union where the array
@@ -14834,29 +18316,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -14869,22 +18351,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -14913,13 +18393,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -14937,9 +18419,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is
+ defined as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -14954,8 +18437,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or
@@ -14968,8 +18452,89 @@
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the
+ policy validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
in the list and looping over it to apply the specified
@@ -14991,8 +18556,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -15018,8 +18594,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -15029,9 +18610,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -15045,8 +18626,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -15094,8 +18694,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -15171,8 +18773,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -15382,8 +18986,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -15432,13 +19042,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -15468,8 +19089,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -15488,8 +19115,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -15546,19 +19179,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -15786,8 +19423,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -15838,13 +19481,25 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is
+ the regular expression to
+ match certificate issuer used
+ for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -15876,8 +19531,15 @@
verified identity used for
keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is
+ the regular expression to
+ match identity used for keyless
+ signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one
or more public keys.
@@ -15897,8 +19559,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -15957,19 +19625,25 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature
- algorithm for public keys.
- Supported values are sha224,
- sha256, sha384 and sha512.
+ description: Deprecated. Use
+ attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and
+ sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -16084,8 +19758,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type',
to be removed soon
type: string
@@ -16153,8 +19830,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -16203,13 +19886,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -16239,8 +19933,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for example
+ the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -16259,8 +19959,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -16317,22 +20023,38 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
@@ -16417,42 +20139,58 @@
```
</details> |
Changes Rendered Chart type: string
type:
description: |-
Type specifies the method of signature validation. The allowed options
- are Cosign and Notary. By default Cosign is used if a type is not specified.
+ are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message
+ to be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have
a digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
type: object
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -16491,14 +20229,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -16550,10 +20283,8 @@
required:
- generated
- message
type: object
- required:
- - ready
type: object
required:
- spec
type: object |
Changes Rendered Chartdiff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml 2024-11-22 16:45:00.512259689 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml 2024-11-22 16:44:29.212434748 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: cleanuppolicies.kyverno.io
spec:
group: kyverno.io
names:
@@ -157,8 +157,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -182,8 +193,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -193,8 +209,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET or POST).
+ Defaults to GET.
enum:
- GET
- POST
type: string
@@ -208,8 +225,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP headers
+ to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -253,8 +286,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -326,15 +361,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -349,422 +390,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
- required:
- - kind
- - name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- any:
- description: Any allows specifying resources which will be ORed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
+ not:
required:
- - kind
- name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- type: object
- match:
- description: |-
- MatchResources defines when cleanuppolicy should be applied. The match
- criteria can include resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the user name or role.
- At least one kind is required.
- properties:
- all:
- description: All allows specifying resources which will be ANDed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -824,13 +455,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -894,13 +527,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -966,813 +601,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
- required:
- - kind
- - name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- type: object
- schedule:
- description: The schedule in Cron format
- type: string
- required:
- - schedule
- type: object
- status:
- description: Status contains policy runtime data.
- properties:
- conditions:
- items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- lastExecutionTime:
- format: date-time
- type: string
- type: object
- required:
- - spec
- type: object
- served: true
- storage: false
- subresources:
- status: {}
- - additionalPrinterColumns:
- - jsonPath: .spec.schedule
- name: Schedule
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v2alpha1
- schema:
- openAPIV3Schema:
- description: CleanupPolicy defines a rule for resource cleanup.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Spec declares policy behaviors.
- properties:
- conditions:
- description: Conditions defines the conditions used to select the
- resources which will be cleaned up.
- properties:
- all:
- description: |-
- AllConditions enable variable-based conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition can reference object data
- using JMESPath notation.
- Here, all of the conditions need to pass.
- items:
- properties:
- key:
- description: Key is the context entry (using JMESPath) for
- conditional rule evaluation.
- x-kubernetes-preserve-unknown-fields: true
- message:
- description: Message is an optional display message
- type: string
- operator:
- description: |-
- Operator is the conditional operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan
- enum:
- - Equals
- - NotEquals
- - AnyIn
- - AllIn
- - AnyNotIn
- - AllNotIn
- - GreaterThanOrEquals
- - GreaterThan
- - LessThanOrEquals
- - LessThan
- - DurationGreaterThanOrEquals
- - DurationGreaterThan
- - DurationLessThanOrEquals
- - DurationLessThan
- type: string
- value:
- description: |-
- Value is the conditional value, or set of values. The values can be fixed set
- or can be variables declared using JMESPath.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: array
- any:
- description: |-
- AnyConditions enable variable-based conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition can reference object data
- using JMESPath notation.
- Here, at least one of the conditions need to pass.
- items:
- properties:
- key:
- description: Key is the context entry (using JMESPath) for
- conditional rule evaluation.
- x-kubernetes-preserve-unknown-fields: true
- message:
- description: Message is an optional display message
- type: string
- operator:
- description: |-
- Operator is the conditional operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan
- enum:
- - Equals
- - NotEquals
- - AnyIn
- - AllIn
- - AnyNotIn
- - AllNotIn
- - GreaterThanOrEquals
- - GreaterThan
- - LessThanOrEquals
- - LessThan
- - DurationGreaterThanOrEquals
- - DurationGreaterThan
- - DurationLessThanOrEquals
- - DurationLessThan
- type: string
- value:
- description: |-
- Value is the conditional value, or set of values. The values can be fixed set
- or can be variables declared using JMESPath.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: array
- type: object
- context:
- description: Context defines variables and data sources that can be
- used during rule execution.
- items:
- description: |-
- ContextEntry adds variables and data sources to a rule Context. Either a
- ConfigMap reference or a APILookup must be provided.
- properties:
- apiCall:
- description: |-
- APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
- The data returned is stored in the context with the name for the context entry.
- properties:
- data:
- description: |-
- The data object specifies the POST data sent to the server.
- Only applicable when the method field is set to POST.
- items:
- description: RequestData contains the HTTP POST data
- properties:
- key:
- description: Key is a unique identifier for the data
- value
- type: string
- value:
- description: Value is the data value
- x-kubernetes-preserve-unknown-fields: true
- required:
- - key
- - value
- type: object
- type: array
- jmesPath:
- description: |-
- JMESPath is an optional JSON Match Expression that can be used to
- transform the JSON response returned from the server. For example
- a JMESPath of "items | length(@)" applied to the API server response
- for the URLPath "/apis/apps/v1/deployments" will return the total count
- of deployments across all namespaces.
- type: string
- method:
- default: GET
- description: Method is the HTTP request type (GET or POST).
- enum:
- - GET
- - POST
- type: string
- service:
- description: |-
- Service is an API call to a JSON web service.
- This is used for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath field.
- properties:
- caBundle:
- description: |-
- CABundle is a PEM encoded CA bundle which will be used to validate
- the server certificate.
- type: string
- url:
- description: |-
- URL is the JSON web service URL. A typical form is
- `https://{service}.{namespace}:{port}/{path}`.
- type: string
- required:
- - url
- type: object
- urlPath:
- description: |-
- URLPath is the URL path to be used in the HTTP GET or POST request to the
- Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the `kubectl get --raw` command.
- See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details.
- It's mutually exclusive with the Service field.
- type: string
- type: object
- configMap:
- description: ConfigMap is the ConfigMap reference.
- properties:
- name:
- description: Name is the ConfigMap name.
- type: string
- namespace:
- description: Namespace is the ConfigMap namespace.
- type: string
- required:
- - name
- type: object
- globalReference:
- description: GlobalContextEntryReference is a reference to a
- cached global context entry.
- properties:
- jmesPath:
- description: |-
- JMESPath is an optional JSON Match Expression that can be used to
- transform the JSON response returned from the server. For example
- a JMESPath of "items | length(@)" applied to the API server response
- for the URLPath "/apis/apps/v1/deployments" will return the total count
- of deployments across all namespaces.
- type: string
- name:
- description: Name of the global context entry
- type: string
- type: object
- imageRegistry:
- description: |-
- ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
- details.
- properties:
- imageRegistryCredentials:
- description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
- properties:
- allowInsecureRegistry:
- description: AllowInsecureRegistry allows insecure access
- to a registry.
- type: boolean
- providers:
- description: |-
- Providers specifies a list of OCI Registry names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.
- items:
- description: ImageRegistryCredentialsProvidersType
- provides the list of credential providers required.
- enum:
- - default
- - amazon
- - azure
- - google
- - github
- type: string
- type: array
- secrets:
- description: |-
- Secrets specifies a list of secrets that are provided for credentials.
- Secrets must live in the Kyverno namespace.
- items:
- type: string
- type: array
- type: object
- jmesPath:
- description: |-
- JMESPath is an optional JSON Match Expression that can be used to
- transform the ImageData struct returned as a result of processing
- the image reference.
- type: string
- reference:
- description: |-
- Reference is image reference to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest
- type: string
- required:
- - reference
- type: object
- name:
- description: Name is the variable name.
- type: string
- variable:
- description: Variable defines an arbitrary JMESPath context
- variable that can be defined inline.
- properties:
- default:
- description: |-
- Default is an optional arbitrary JSON object that the variable may take if the JMESPath
- expression evaluates to nil
- x-kubernetes-preserve-unknown-fields: true
- jmesPath:
- description: |-
- JMESPath is an optional JMESPath Expression that can be used to
- transform the variable.
- type: string
- value:
- description: Value is any arbitrary JSON object representable
- in YAML or JSON form.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- exclude:
- description: |-
- ExcludeResources defines when cleanuppolicy should not be applied. The exclude
- criteria can include resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the name or role.
- properties:
- all:
- description: All allows specifying resources which will be ANDed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
+ not:
required:
- - kind
- name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- any:
- description: Any allows specifying resources which will be ORed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1832,13 +666,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1902,13 +738,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1966,8 +804,12 @@
MatchResources defines when cleanuppolicy should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -1982,8 +824,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -2043,13 +889,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2113,13 +961,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2185,8 +1035,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -2246,13 +1100,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2316,13 +1172,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2378,25 +1236,18 @@
schedule:
description: The schedule in Cron format
type: string
required:
+ - match
- schedule
type: object
status:
description: Status contains policy runtime data.
properties:
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -2435,14 +1286,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -2459,10 +1305,10 @@
type: object
required:
- spec
type: object
- served: false
- storage: false
+ served: true
+ storage: true
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.schedule
@@ -2470,8 +1316,9 @@
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ deprecated: true
name: v2beta1
schema:
openAPIV3Schema:
description: CleanupPolicy defines a rule for resource cleanup.
@@ -2595,8 +1442,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -2620,8 +1478,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -2631,8 +1494,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET or POST).
+ Defaults to GET.
enum:
- GET
- POST
type: string
@@ -2646,8 +1510,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP headers
+ to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -2691,8 +1571,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -2764,15 +1646,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -2787,8 +1675,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -2848,13 +1740,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2918,13 +1812,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2990,8 +1886,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -3051,13 +1951,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3121,13 +2023,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3185,8 +2089,12 @@
MatchResources defines when cleanuppolicy should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -3201,8 +2109,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -3262,13 +2174,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3332,13 +2246,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3404,8 +2320,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -3465,13 +2385,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3535,13 +2457,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3597,25 +2521,18 @@
schedule:
description: The schedule in Cron format
type: string
required:
+ - match
- schedule
type: object
status:
description: Status contains policy runtime data.
properties:
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -3654,14 +2571,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -3679,7 +2591,7 @@
required:
- spec
type: object
served: true
- storage: true
+ storage: false
subresources:
status: {}
Only in out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io: kyverno.io_clusteradmissionreports.yaml
Only in out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io: kyverno.io_clusterbackgroundscanreports.yaml |
Changes Rendered Chartdiff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml 2024-11-22 16:44:59.712263217 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: globalcontextentries.kyverno.io
spec:
group: kyverno.io
names:
@@ -62,8 +62,13 @@
metadata:
type: object
spec:
description: Spec declares policy exception behaviors.
+ oneOf:
+ - required:
+ - kubernetesResource
+ - required:
+ - apiCall
properties:
apiCall:
description: |-
Stores results from an API call which will be cached.
@@ -92,9 +97,10 @@
type: object
type: array
method:
default: GET
- description: Method is the HTTP request type (GET or POST).
+ description: Method is the HTTP request type (GET or POST). Defaults
+ to GET.
enum:
- GET
- POST
type: string
@@ -105,8 +111,14 @@
The duration is a sequence of decimal numbers, each with optional fraction and a unit suffix,
such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
format: duration
type: string
+ retryLimit:
+ default: 3
+ description: RetryLimit defines the number of times the APICall
+ should be retried in case of failure.
+ minimum: 1
+ type: integer
service:
description: |-
Service is an API call to a JSON web service.
This is used for non-Kubernetes API server calls.
@@ -116,8 +128,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP headers to
+ be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -155,25 +183,20 @@
type: string
version:
description: Version defines the version of the resource.
type: string
+ required:
+ - resource
+ - version
type: object
type: object
status:
description: Status contains globalcontextentry runtime data.
properties:
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -212,14 +235,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -237,10 +255,8 @@
type: string
ready:
description: Deprecated in favor of Conditions
type: boolean
- required:
- - ready
type: object
required:
- spec
type: object |
Changes Rendered Chartdiff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml 2024-11-22 16:44:59.712263217 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: policies.kyverno.io
spec:
group: kyverno.io
names:
@@ -32,11 +32,8 @@
type: boolean
- jsonPath: .spec.background
name: BACKGROUND
type: boolean
- - jsonPath: .spec.validationFailureAction
- name: VALIDATE ACTION
- type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
@@ -114,31 +111,31 @@
Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
- failurePolicy:
+ emitWarning:
+ default: false
description: |-
- FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
- Rules within the same policy share the same failure behavior.
- This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
- Allowed values are Ignore or Fail. Defaults to Fail.
+ EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit.
+ Enabling this option will extend admission request processing times. The default value is "false".
+ type: boolean
+ failurePolicy:
+ description: Deprecated, use failurePolicy under the webhookConfiguration
+ instead.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: |-
- GenerateExisting controls whether to trigger generate rule in existing resources
- If is set to "true" generate rule will be triggered and applied to existing matched resources.
- Defaults to "false" if not specified.
+ description: Deprecated, use generateExisting under the generate rule
+ instead
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: |-
- MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
- Default value is "false".
+ description: Deprecated, use mutateExistingOnPolicyUpdate under the
+ mutate rule instead
type: boolean
rules:
description: |-
Rules is a list of Rule instances. A Policy contains multiple rules and
@@ -154,16 +151,15 @@
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
- by fulfilled for a request to be sent to a webhook.
+ be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -171,9 +167,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -184,9 +179,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -199,8 +193,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -225,8 +230,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -236,9 +246,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -252,8 +262,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP
+ headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -297,8 +323,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -371,15 +399,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -395,8 +429,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -457,13 +495,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -528,13 +568,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -601,8 +643,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -663,13 +709,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -734,13 +782,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -803,8 +853,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -864,13 +918,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -934,13 +990,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1052,13 +1110,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1074,8 +1134,453 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list of
+ sub-elements by creating a context for each entry in the
+ list and looping over it to apply the specified logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data sources
+ that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains the
+ HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference is
+ a reference to a cached global context entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials provides
+ credentials that will be used for authentication
+ with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry allows
+ insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary JMESPath
+ context variable that can be defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary JSON
+ object representable in YAML or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -1147,8 +1652,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -1164,8 +1673,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1226,13 +1739,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1297,13 +1812,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1370,8 +1887,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1432,13 +1953,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1503,13 +2026,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1572,8 +2097,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1633,13 +2162,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1703,13 +2234,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1779,8 +2312,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -1805,8 +2349,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -1816,9 +2365,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -1832,8 +2381,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -1879,8 +2447,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -1954,8 +2524,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach iterator
@@ -2091,8 +2663,12 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if the
+ mutateExisting rule will be applied on policy events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -2119,8 +2695,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -2145,8 +2732,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -2156,9 +2748,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -2172,8 +2764,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -2219,8 +2830,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -2294,8 +2907,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -2313,8 +2928,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -2332,8 +2995,14 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ reportProperties:
+ additionalProperties:
+ type: string
+ description: ReportProperties are the additional properties
+ from the rule that will be added to the policy report result
+ type: object
skipBackgroundRequests:
default: true
description: |-
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
@@ -2342,13 +3011,22 @@
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
+ allowExistingViolations:
+ default: true
+ description: AllowExistingViolations allows prexisting violating
+ resources to continue violating a policy.
+ type: boolean
anyPattern:
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -2365,21 +3043,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -2391,15 +3066,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -2417,9 +3090,9 @@
description: "Expression represents the expression
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents of the
API request/response, organized into CEL variables
- as well as some other useful variables:\n\n\n-
+ as well as some other useful variables:\n\n-
'object' - The object from the incoming request.
The value is null for DELETE requests.\n- 'oldObject'
- The existing object. The value is null for
CREATE requests.\n- 'request' - Attributes of
@@ -2437,12 +3110,12 @@
checks for the principal (user or service account)
of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names are
escaped according to the following rules when
accessed in the expression:\n- '__' escapes
@@ -2460,9 +3133,9 @@
\ - Expression accessing a property named \"x-prop\":
{\"Expression\": \"object.x__dash__prop > 0\"}\n
\ - Expression accessing a property named \"redact__d\":
{\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list type
+ > 0\"}\n\nEquality on arrays with list type
of 'set' or 'map' ignores element order, i.e.
[1, 2] == [2, 1].\nConcatenation on arrays with
x-kubernetes-list-type use the semantics of
the list type:\n - 'set': `X + Y` performs
@@ -2534,29 +3207,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -2569,22 +3242,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -2613,13 +3284,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2637,9 +3310,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is defined
+ as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -2654,8 +3328,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -2668,8 +3343,89 @@
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the policy
+ validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
list and looping over it to apply the specified logic.
@@ -2690,8 +3446,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -2716,8 +3483,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -2727,9 +3499,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -2743,8 +3515,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -2790,8 +3581,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -2865,8 +3658,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -3072,8 +3867,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -3122,13 +3923,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -3158,8 +3970,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used
+ for keyless signing, for example the
+ email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -3178,8 +3996,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -3235,18 +4059,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -3473,8 +4302,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -3523,13 +4358,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -3559,8 +4405,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -3579,8 +4431,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -3637,19 +4495,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -3764,8 +4626,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type', to
be removed soon
type: string
@@ -3833,8 +4698,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -3882,13 +4753,24 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -3917,8 +4799,14 @@
description: Subject is the verified identity
used for keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used for
+ keyless signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one or more public
keys.
@@ -3937,8 +4825,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -3993,22 +4887,38 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values are
- sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm for
+ public keys. Supported values are sha224,
+ sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
@@ -4092,26 +5002,50 @@
type: string
type:
description: |-
Type specifies the method of signature validation. The allowed options
- are Cosign and Notary. By default Cosign is used if a type is not specified.
+ are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message to
+ be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have a
digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
schemaValidation:
@@ -4124,23 +5058,19 @@
Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: |-
- ValidationFailureAction defines if a validation policy rule violation should block
- the admission review request (enforce), or allow (audit) the admission review request
- and report an error in a policy report. Optional.
- Allowed values are audit or enforce. The default value is "Audit".
+ description: Deprecated, use validationFailureAction under the validate
+ rule instead.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
- description: |-
- ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
- namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+ description: Deprecated, use validationFailureActionOverrides under
+ the validate rule instead.
items:
properties:
action:
description: ValidationFailureAction defines the policy validation
@@ -4182,13 +5112,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4204,14 +5136,25 @@
type: array
type: object
type: array
webhookConfiguration:
- description: |-
- WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
- Requires Kubernetes 1.27 or later.
+ description: WebhookConfiguration specifies the custom configuration
+ for Kubernetes admission webhookconfiguration.
properties:
+ failurePolicy:
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
+ Allowed values are Ignore or Fail. Defaults to Fail.
+ enum:
+ - Ignore
+ - Fail
+ type: string
matchConditions:
- description: MatchCondition configures admission webhook matchConditions.
+ description: |-
+ MatchCondition configures admission webhook matchConditions.
+ Requires Kubernetes 1.27 or later.
items:
description: MatchConditi```
</details> |
Changes Rendered Charton represents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
@@ -4219,9 +5162,8 @@
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -4229,9 +5171,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -4242,22 +5183,26 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
- name
type: object
type: array
+ timeoutSeconds:
+ description: |-
+ TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ format: int32
+ type: integer
type: object
webhookTimeoutSeconds:
- description: |-
- WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
- After the configured time expires, the admission request may fail, or may simply ignore the policy results,
- based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
+ instead.
format: int32
type: integer
type: object
status:
@@ -4281,16 +5226,15 @@
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
- must by fulfilled for a request to be sent to a webhook.
+ must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -4298,9 +5242,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -4311,9 +5254,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -4326,8 +5268,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -4352,8 +5305,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -4363,9 +5321,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -4379,8 +5337,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -4424,8 +5398,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -4499,15 +5475,21 @@
description: Value is any arbitrary JSON object
representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -4523,8 +5505,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -4585,13 +5571,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4657,13 +5645,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4730,8 +5720,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -4792,13 +5786,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4864,13 +5860,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4933,8 +5931,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -4995,13 +5997,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5066,13 +6070,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5187,13 +6193,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5209,8 +6217,461 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list
+ of sub-elements by creating a context for each entry
+ in the list and looping over it to apply the specified
+ logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data
+ sources that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains
+ the HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data
+ value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap
+ reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference
+ is a reference to a cached global context
+ entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials
+ provides credentials that will be
+ used for authentication with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry
+ allows insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary
+ JMESPath context variable that can be
+ defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary
+ JSON object representable in YAML
+ or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -5282,8 +6743,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -5299,8 +6764,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -5361,13 +6830,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5433,13 +6904,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5506,8 +6979,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -5568,13 +7045,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5640,13 +7119,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5709,8 +7190,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -5771,13 +7256,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5842,13 +7329,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5919,8 +7408,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -5946,8 +7446,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -5957,9 +7462,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -5973,8 +7478,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -6022,8 +7546,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -6099,8 +7625,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach
@@ -6239,8 +7767,13 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if
+ the mutateExisting rule will be applied on policy
+ events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -6267,8 +7800,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -6294,8 +7838,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -6305,9 +7854,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -6321,8 +7870,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -6370,8 +7938,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -6447,8 +8017,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -6466,8 +8038,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -6485,8 +8105,15 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ reportProperties:
+ additionalProperties:
+ type: string
+ description: ReportProperties are the additional properties
+ from the rule that will be added to the policy report
+ result
+ type: object
skipBackgroundRequests:
default: true
description: |-
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
@@ -6495,13 +8122,23 @@
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
+ allowExistingViolations:
+ default: true
+ description: AllowExistingViolations allows prexisting
+ violating resources to continue violating a policy.
+ type: boolean
anyPattern:
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion
+ tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -6518,21 +8155,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -6544,15 +8178,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -6571,14 +8203,14 @@
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables:\n\n\n- 'object' - The object
- from the incoming request. The value is
- null for DELETE requests.\n- 'oldObject'
- - The existing object. The value is null
- for CREATE requests.\n- 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ variables:\n\n- 'object' - The object from
+ the incoming request. The value is null
+ for DELETE requests.\n- 'oldObject' - The
+ existing object. The value is null for CREATE
+ requests.\n- 'request' - Attributes of the
+ API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
'params' - Parameter resource referred to
by the policy binding being evaluated. Only
populated if the policy has a ParamKind.\n-
'namespaceObject' - The namespace object
@@ -6593,12 +8225,12 @@
or service account) of the request.\n See
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names
are escaped according to the following rules
when accessed in the expression:\n- '__'
@@ -6617,10 +8249,10 @@
> 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
> 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list
- type of 'set' or 'map' ignores element order,
+ > 0\"}\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order,
i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
semantics of the list type:\n - 'set':
`X + Y` performs a union where the array
@@ -6692,29 +8324,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -6727,22 +8359,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -6771,13 +8401,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -6795,9 +8427,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is
+ defined as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -6812,8 +8445,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or
@@ -6826,8 +8460,89 @@
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the
+ policy validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
in the list and looping over it to apply the specified
@@ -6849,8 +8564,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -6876,8 +8602,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -6887,9 +8618,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -6903,8 +8634,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -6952,8 +8702,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -7029,8 +8781,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -7240,8 +8994,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -7290,13 +9050,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -7326,8 +9097,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -7346,8 +9123,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -7404,19 +9187,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -7644,8 +9431,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -7696,13 +9489,25 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is
+ the regular expression to
+ match certificate issuer used
+ for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -7734,8 +9539,15 @@
verified identity used for
keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is
+ the regular expression to
+ match identity used for keyless
+ signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one
or more public keys.
@@ -7755,8 +9567,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -7815,19 +9633,25 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature
- algorithm for public keys.
- Supported values are sha224,
- sha256, sha384 and sha512.
+ description: Deprecated. Use
+ attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and
+ sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -7942,8 +9766,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type',
to be removed soon
type: string
@@ -8011,8 +9838,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -8061,13 +9894,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -8097,8 +9941,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for example
+ the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -8117,8 +9967,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -8175,22 +10031,38 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for ```
</details> |
Changes Rendered Chartpublic keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
@@ -8275,42 +10147,58 @@
type: string
type:
description: |-
Type specifies the method of signature validation. The allowed options
- are Cosign and Notary. By default Cosign is used if a type is not specified.
+ are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message
+ to be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have
a digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
type: object
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -8349,14 +10237,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -8408,10 +10291,8 @@
required:
- generated
- message
type: object
- required:
- - ready
type: object
required:
- spec
type: object
@@ -8425,11 +10306,8 @@
type: boolean
- jsonPath: .spec.background
name: BACKGROUND
type: boolean
- - jsonPath: .spec.validationFailureAction
- name: VALIDATE ACTION
- type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
@@ -8507,30 +10385,31 @@
Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
- failurePolicy:
+ emitWarning:
+ default: false
description: |-
- FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
- Rules within the same policy share the same failure behavior.
- Allowed values are Ignore or Fail. Defaults to Fail.
+ EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit.
+ Enabling this option will extend admission request processing times. The default value is "false".
+ type: boolean
+ failurePolicy:
+ description: Deprecated, use failurePolicy under the webhookConfiguration
+ instead.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: |-
- GenerateExisting controls whether to trigger generate rule in existing resources
- If is set to "true" generate rule will be triggered and applied to existing matched resources.
- Defaults to "false" if not specified.
+ description: Deprecated, use generateExisting under the generate rule
+ instead
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: |-
- MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
- Default value is "false".
+ description: Deprecated, use mutateExistingOnPolicyUpdate under the
+ mutate rule instead
type: boolean
rules:
description: |-
Rules is a list of Rule instances. A Policy contains multiple rules and
@@ -8553,9 +10432,8 @@
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -8563,9 +10441,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -8576,9 +10453,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -8591,8 +10467,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -8617,8 +10504,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -8628,9 +10520,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -8644,8 +10536,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP
+ headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -8689,8 +10597,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -8763,15 +10673,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -8787,8 +10703,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -8849,13 +10769,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -8920,13 +10842,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -8993,8 +10917,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -9055,13 +10983,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9126,13 +11056,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9246,13 +11178,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9268,8 +11202,453 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list of
+ sub-elements by creating a context for each entry in the
+ list and looping over it to apply the specified logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data sources
+ that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains the
+ HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference is
+ a reference to a cached global context entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials provides
+ credentials that will be used for authentication
+ with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry allows
+ insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary JMESPath
+ context variable that can be defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary JSON
+ object representable in YAML or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -9341,8 +11720,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -9358,8 +11741,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -9420,13 +11807,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9491,13 +11880,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9564,8 +11955,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -9626,13 +12021,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9697,13 +12094,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9775,8 +12174,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -9801,8 +12211,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -9812,9 +12227,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -9828,8 +12243,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -9875,8 +12309,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -9950,8 +12386,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach iterator
@@ -10087,8 +12525,12 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if the
+ mutateExisting rule will be applied on policy events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -10115,8 +12557,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -10141,8 +12594,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -10152,9 +12610,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -10168,8 +12626,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -10215,8 +12692,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -10290,8 +12769,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -10309,8 +12790,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -10430,8 +12959,12 @@
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -10448,21 +12981,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -10474,15 +13004,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -10500,9 +13028,9 @@
description: "Expression represents the expression
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents of the
API request/response, organized into CEL variables
- as well as some other useful variables:\n\n\n-
+ as well as some other useful variables:\n\n-
'object' - The object from the incoming request.
The value is null for DELETE requests.\n- 'oldObject'
- The existing object. The value is null for
CREATE requests.\n- 'request' - Attributes of
@@ -10520,12 +13048,12 @@
checks for the principal (user or service account)
of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names are
escaped according to the following rules when
accessed in the expression:\n- '__' escapes
@@ -10543,9 +13071,9 @@
\ - Expression accessing a property named \"x-prop\":
{\"Expression\": \"object.x__dash__prop > 0\"}\n
\ - Expression accessing a property named \"redact__d\":
{\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list type
+ > 0\"}\n\nEquality on arrays with list type
of 'set' or 'map' ignores element order, i.e.
[1, 2] == [2, 1].\nConcatenation on arrays with
x-kubernetes-list-type use the semantics of
the list type:\n - 'set': `X + Y` performs
@@ -10617,29 +13145,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -10652,22 +13180,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -10696,13 +13222,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -10720,9 +13248,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is defined
+ as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -10737,8 +13266,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -10840,8 +13370,89 @@
type: object
type: array
type: object
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the policy
+ validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
list and looping over it to apply the specified logic.
@@ -10862,8 +13473,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -10888,8 +13510,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -10899,9 +13526,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -10915,8 +13542,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -10962,8 +13608,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -11037,8 +13685,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -11244,8 +13894,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -11294,13 +13950,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -11330,8 +13997,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used
+ for keyless signing, for example the
+ email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -11350,8 +14023,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -11407,18 +14086,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -11634,8 +14318,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -11684,13 +14374,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -11720,8 +14421,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -11740,8 +14447,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -11798,19 +14511,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -11925,8 +14642,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type', to
be removed soon
type: string
@@ -11994,8 +14714,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -12043,13 +14769,24 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -12078,8 +14815,14 @@
description: Subject is the verified identity
used for keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used for
+ keyless signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one or more public
keys.
@@ -12098,8 +14841,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -12154,22 +14903,33 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values are
- sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm for
+ public keys. Supported values are sha224,
+ sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
imageReferences:
description: |-
ImageReferences is a list of matching image reference patterns. At least one pattern in the
list must match the image for the rule to apply. Each image reference consists of a registry
@@ -12241,23 +15001,47 @@
Type specifies the method of signature validation. The allowed options
are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message to
+ be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have a
digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
schemaValidation:
@@ -12270,23 +15054,19 @@
Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: |-
- ValidationFailureAction defines if a validation policy rule violation should block
- the admission review request (enforce), or allow (audit) the admission review request
- and report an error in a policy report. Optional.
- Allowed values are audit or enforce. The default value is "Audit".
+ description: Deprecated, use validationFailureAction under the validate
+ rule instead.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
- description: |-
- ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
- namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+ description: Deprecated, use validationFailureActionOverrides under
+ the validate rule instead.
items:
properties:
action:
description: ValidationFailureAction defines the policy validation
@@ -12328,13 +15108,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -12350,14 +15132,25 @@
type: array
type: object
type: array
webhookConfiguration:
- description: |-
- WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
- Requires Kubernetes 1.27 or later.
+ description: WebhookConfiguration specifies the custom configuration
+ for Kubernetes admission webhookconfiguration.
properties:
+ failurePolicy:
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
+ Allowed values are Ignore or Fail. Defaults to Fail.
+ enum:
+ - Ignore
+ - Fail
+ type: string
matchConditions:
- description: MatchCondition configures admission webhook matchConditions.
+ description: |-
+ MatchCondition configures admission webhook matchConditions.
+ Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
@@ -12365,9 +15158,8 @@
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -12375,9 +15167,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
```
</details> |
Changes Rendered Chart description: |-
@@ -12388,22 +15179,26 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
- name
type: object
type: array
+ timeoutSeconds:
+ description: |-
+ TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ format: int32
+ type: integer
type: object
webhookTimeoutSeconds:
- description: |-
- WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
- After the configured time expires, the admission request may fail, or may simply ignore the policy results,
- based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
+ instead.
format: int32
type: integer
type: object
status:
@@ -12426,16 +15221,15 @@
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
- must by fulfilled for a request to be sent to a webhook.
+ must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -12443,9 +15237,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -12456,9 +15249,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -12471,8 +15263,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -12497,8 +15300,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -12508,9 +15316,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -12524,8 +15332,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -12569,8 +15393,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -12644,15 +15470,21 @@
description: Value is any arbitrary JSON object
representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -12668,8 +15500,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -12730,13 +15566,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -12802,13 +15640,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -12875,8 +15715,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -12937,13 +15781,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13009,13 +15855,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13078,8 +15926,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13140,13 +15992,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13211,13 +16065,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13332,13 +16188,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13354,8 +16212,461 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list
+ of sub-elements by creating a context for each entry
+ in the list and looping over it to apply the specified
+ logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data
+ sources that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains
+ the HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data
+ value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap
+ reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference
+ is a reference to a cached global context
+ entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials
+ provides credentials that will be
+ used for authentication with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry
+ allows insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary
+ JMESPath context variable that can be
+ defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary
+ JSON object representable in YAML
+ or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -13427,8 +16738,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -13444,8 +16759,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13506,13 +16825,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13578,13 +16899,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13651,8 +16974,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13713,13 +17040,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13785,13 +17114,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13854,8 +17185,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13916,13 +17251,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13987,13 +17324,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -14064,8 +17403,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -14091,8 +17441,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -14102,9 +17457,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -14118,8 +17473,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -14167,8 +17541,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -14244,8 +17620,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach
@@ -14384,8 +17762,13 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if
+ the mutateExisting rule will be applied on policy
+ events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -14412,8 +17795,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -14439,8 +17833,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -14450,9 +17849,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -14466,8 +17865,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -14515,8 +17933,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -14592,8 +18012,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -14611,8 +18033,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -14630,8 +18100,15 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ reportProperties:
+ additionalProperties:
+ type: string
+ description: ReportProperties are the additional properties
+ from the rule that will be added to the policy report
+ result
+ type: object
skipBackgroundRequests:
default: true
description: |-
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
@@ -14640,13 +18117,23 @@
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
+ allowExistingViolations:
+ default: true
+ description: AllowExistingViolations allows prexisting
+ violating resources to continue violating a policy.
+ type: boolean
anyPattern:
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion
+ tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -14663,21 +18150,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -14689,15 +18173,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -14716,14 +18198,14 @@
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables:\n\n\n- 'object' - The object
- from the incoming request. The value is
- null for DELETE requests.\n- 'oldObject'
- - The existing object. The value is null
- for CREATE requests.\n- 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ variables:\n\n- 'object' - The object from
+ the incoming request. The value is null
+ for DELETE requests.\n- 'oldObject' - The
+ existing object. The value is null for CREATE
+ requests.\n- 'request' - Attributes of the
+ API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
'params' - Parameter resource referred to
by the policy binding being evaluated. Only
populated if the policy has a ParamKind.\n-
'namespaceObject' - The namespace object
@@ -14738,12 +18220,12 @@
or service account) of the request.\n See
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names
are escaped according to the following rules
when accessed in the expression:\n- '__'
@@ -14762,10 +18244,10 @@
> 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
> 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list
- type of 'set' or 'map' ignores element order,
+ > 0\"}\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order,
i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
semantics of the list type:\n - 'set':
`X + Y` performs a union where the array
@@ -14837,29 +18319,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -14872,22 +18354,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -14916,13 +18396,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -14940,9 +18422,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is
+ defined as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -14957,8 +18440,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or
@@ -14971,8 +18455,89 @@
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the
+ policy validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
in the list and looping over it to apply the specified
@@ -14994,8 +18559,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -15021,8 +18597,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -15032,9 +18613,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -15048,8 +18629,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -15097,8 +18697,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -15174,8 +18776,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -15385,8 +18989,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -15435,13 +19045,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -15471,8 +19092,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -15491,8 +19118,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -15549,19 +19182,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -15789,8 +19426,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -15841,13 +19484,25 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is
+ the regular expression to
+ match certificate issuer used
+ for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -15879,8 +19534,15 @@
verified identity used for
keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is
+ the regular expression to
+ match identity used for keyless
+ signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one
or more public keys.
@@ -15900,8 +19562,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -15960,19 +19628,25 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature
- algorithm for public keys.
- Supported values are sha224,
- sha256, sha384 and sha512.
+ description: Deprecated. Use
+ attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and
+ sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -16087,8 +19761,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type',
to be removed soon
type: string
@@ -16156,8 +19833,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -16206,13 +19889,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -16242,8 +19936,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for example
+ the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -16262,8 +19962,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -16320,22 +20026,38 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
@@ -16420,42 +20142,58 @@
type: string
```
</details> |
Changes Rendered Chart type:
description: |-
Type specifies the method of signature validation. The allowed options
- are Cosign and Notary. By default Cosign is used if a type is not specified.
+ are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message
+ to be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have
a digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
type: object
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -16494,14 +20232,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -16553,10 +20286,8 @@
required:
- generated
- message
type: object
- required:
- - ready
type: object
required:
- spec
type: object |
Changes Rendered Chartdiff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: policyexceptions.kyverno.io
spec:
group: kyverno.io
names:
@@ -176,8 +176,12 @@
type: array
match:
description: Match defines match clause used to check if a resource
applies to the exception
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -192,8 +196,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -253,13 +261,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -323,13 +333,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -395,8 +407,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -456,13 +472,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -526,13 +544,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -644,10 +664,11 @@
required:
- spec
type: object
served: true
- storage: false
- - name: v2alpha1
+ storage: true
+ - deprecated: true
+ name: v2beta1
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
policies.
@@ -796,8 +817,12 @@
type: array
match:
description: Match defines match clause used to check if a resource
applies to the exception
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -812,211 +837,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
+ not:
required:
- - kind
- name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- any:
- description: Any allows specifying resources which will be ORed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1076,13 +902,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1146,13 +974,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1203,224 +1033,10 @@
x-kubernetes-map-type: atomic
type: array
type: object
type: array
- type: object
- podSecurity:
- description: |-
- PodSecurity specifies the Pod Security Standard controls to be excluded.
- Applicable only to policies that have validate.podSecurity subrule.
- items:
- description: PodSecurityStandard specifies the Pod Security Standard
- controls to be excluded.
- properties:
- controlName:
- description: |-
- ControlName specifies the name of the Pod Security Standard control.
- See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
- enum:
- - HostProcess
- - Host Namespaces
- - Privileged Containers
- - Capabilities
- - HostPath Volumes
- - Host Ports
- - AppArmor
- - SELinux
- - /proc Mount Type
- - Seccomp
- - Sysctls
- - Volume Types
- - Privilege Escalation
- - Running as Non-root
- - Running as Non-root user
- type: string
- images:
- description: |-
- Images selects matching containers and applies the container level PSS.
- Each image is the image name consisting of the registry address, repository, image, and tag.
- Empty list matches no containers, PSS checks are applied at the pod level only.
- Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
- items:
- type: string
- type: array
- restrictedField:
- description: |-
- RestrictedField selects the field for the given Pod Security Standard control.
- When not set, all restricted fields for the control are selected.
- type: string
- values:
- description: Values defines the allowed values that can be excluded.
- items:
- type: string
- type: array
- required:
- - controlName
- type: object
- type: array
- required:
- - exceptions
- - match
- type: object
- required:
- - spec
- type: object
- served: false
- storage: false
- - name: v2beta1
- schema:
- openAPIV3Schema:
- description: PolicyException declares resources to be excluded from specified
- policies.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Spec declares policy exception behaviors.
- properties:
- background:
- description: |-
- Background controls if exceptions are applied to existing policies during a background scan.
- Optional. Default value is "true". The value must be set to "false" if the policy rule
- uses variables that are only available in the admission review request (e.g. user name).
- type: boolean
- conditions:
- description: |-
- Conditions are used to determine if a resource applies to the exception by evaluating a
- set of conditions. The declaration can contain nested `any` or `all` statements.
- properties:
- all:
- description: |-
- AllConditions enable variable-based conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition can reference object data
- using JMESPath notation.
- Here, all of the conditions need to pass.
- items:
- properties:
- key:
- description: Key is the context entry (using JMESPath) for
- conditional rule evaluation.
- x-kubernetes-preserve-unknown-fields: true
- message:
- description: Message is an optional display message
- type: string
- operator:
- description: |-
- Operator is the conditional operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan
- enum:
- - Equals
- - NotEquals
- - AnyIn
- - AllIn
- - AnyNotIn
- - AllNotIn
- - GreaterThanOrEquals
- - GreaterThan
- - LessThanOrEquals
- - LessThan
- - DurationGreaterThanOrEquals
- - DurationGreaterThan
- - DurationLessThanOrEquals
- - DurationLessThan
- type: string
- value:
- description: |-
- Value is the conditional value, or set of values. The values can be fixed set
- or can be variables declared using JMESPath.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: array
any:
- description: |-
- AnyConditions enable variable-based conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition can reference object data
- using JMESPath notation.
- Here, at least one of the conditions need to pass.
- items:
- properties:
- key:
- description: Key is the context entry (using JMESPath) for
- conditional rule evaluation.
- x-kubernetes-preserve-unknown-fields: true
- message:
- description: Message is an optional display message
- type: string
- operator:
- description: |-
- Operator is the conditional operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan
- enum:
- - Equals
- - NotEquals
- - AnyIn
- - AllIn
- - AnyNotIn
- - AllNotIn
- - GreaterThanOrEquals
- - GreaterThan
- - LessThanOrEquals
- - LessThan
- - DurationGreaterThanOrEquals
- - DurationGreaterThan
- - DurationLessThanOrEquals
- - DurationLessThan
- type: string
- value:
- description: |-
- Value is the conditional value, or set of values. The values can be fixed set
- or can be variables declared using JMESPath.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: array
- type: object
- exceptions:
- description: Exceptions is a list policy/rules to be excluded
- items:
- description: Exception stores infos about a policy and rules
- properties:
- policyName:
- description: |-
- PolicyName identifies the policy to which the exception is applied.
- The policy name uses the format <namespace>/<name> unless it
- references a ClusterPolicy.
- type: string
- ruleNames:
- description: RuleNames identifies the rules to which the exception
- is applied.
- items:
- type: string
- type: array
- required:
- - policyName
- - ruleNames
- type: object
- type: array
- match:
- description: Match defines match clause used to check if a resource
- applies to the exception
- properties:
- all:
- description: All allows specifying resources which will be ANDed
+ description: Any allows specifying resources which will be ORed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
@@ -1432,211 +1048,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
+ not:
required:
- - kind
- name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- any:
- description: Any allows specifying resources which will be ORed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1696,13 +1113,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1766,13 +1185,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1884,5 +1305,5 @@
required:
- spec
type: object
served: true
- storage: true
+ storage: false
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: updaterequests.kyverno.io
spec:
group: kyverno.io
names:
@@ -50,8 +50,9 @@
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ deprecated: true
name: v1beta1
schema:
openAPIV3Schema:
description: UpdateRequest is a request to process mutate and generate rules
@@ -144,16 +145,14 @@
description: |-
RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
-
For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
`apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
an API request to apps/v1beta1 deployments would be converted and sent to the webhook
with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
-
See documentation for the "matchPolicy" field in the webhook configuration type for more details.
properties:
group:
type: string
@@ -170,16 +169,14 @@
description: |-
RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
-
For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
`apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
an API request to apps/v1beta1 deployments would be converted and sent to the webhook
with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
-
See documentation for the "matchPolicy" field in the webhook configuration type.
properties:
group:
type: string
@@ -243,8 +240,9 @@
of.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
uid:
description: |-
A unique value that identifies this user across time. If this user is
deleted and another user by the same name is added, they will have
@@ -302,8 +300,9 @@
description: The names of groups this user is a part of.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
uid:
description: |-
A unique value that identifies this user across time. If this user is
deleted and another user by the same name is added, they will have
@@ -405,9 +404,9 @@
- state
type: object
type: object
served: true
- storage: true
+ storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.policy
@@ -457,9 +456,11 @@
spec:
description: ResourceSpec is the information to identify the trigger resource.
properties:
context:
- description: Context ...
+ description: |-
+ Context represents admission request context.
+ It is used upon admission review only and is shared across rules within the same UR.
properties:
admissionRequestInfo:
description: AdmissionRequestInfoObject stores the admission request
and operation details
@@ -524,16 +525,14 @@
description: |-
RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
-
For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
`apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
an API request to apps/v1beta1 deployments would be converted and sent to the webhook
with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
-
See documentation for the "matchPolicy" field in the webhook configuration type for more details.
properties:
group:
type: string
@@ -550,16 +549,14 @@
description: |-
RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
-
For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
`apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
an API request to apps/v1beta1 deployments would be converted and sent to the webhook
with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
-
See documentation for the "matchPolicy" field in the webhook configuration type.
properties:
group:
type: string
@@ -623,8 +620,9 @@
of.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
uid:
description: |-
A unique value that identifies this user across time. If this user is
deleted and another user by the same name is added, they will have
@@ -682,8 +680,9 @@
description: The names of groups this user is a part of.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
uid:
description: |-
A unique value that identifies this user across time. If this user is
deleted and another user by the same name is added, they will have
@@ -696,10 +695,11 @@
type: object
type: object
type: object
deleteDownstream:
- description: DeleteDownstream represents whether the downstream needs
- to be deleted.
+ description: |-
+ DeleteDownstream represents whether the downstream needs to be deleted.
+ Deprecated
type: boolean
policy:
description: Specifies the name of the policy.
type: string
@@ -731,12 +731,58 @@
type: object
rule:
description: Rule is the associate rule name of the current UR.
type: string
+ ruleContext:
+ description: |-
+ RuleContext is the associate context to apply rules.
+ optional
+ items:
+ properties:
+ deleteDownstream:
+ description: DeleteDownstream represents whether the downstream
+ needs to be deleted.
+ type: boolean
+ rule:
+ description: Rule is the associate rule name of the current
+ UR.
+ type: string
+ synchronize:
+ description: |-
+ Synchronize represents the sync behavior of the corresponding rule
+ Optional. Defaults to "false" if not specified.
+ type: boolean
+ trigger:
+ description: ResourceSpec is the information to identify the
+ trigger resource.
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ required:
+ - deleteDownstream
+ - rule
+ - trigger
+ type: object
+ type: array
synchronize:
description: |-
Synchronize represents the sync behavior of the corresponding rule
Optional. Defaults to "false" if not specified.
+ Deprecated, will be removed in 1.14.
type: boolean
required:
- context
- deleteDownstream
@@ -782,7 +828,7 @@
- state
type: object
type: object
served: true
- storage: false
+ storage: true
subresources:
status: {}
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: clusterephemeralreports.reports.kyverno.io
spec:
group: reports.kyverno.io
names:
@@ -186,13 +186,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -205,26 +207,10 @@
resources:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: |-
- ObjectReference contains enough information to let you inspect or modify the referred object.
- ---
- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
- 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
- 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
- restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
- Those cannot be well described when embedded.
- 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
- 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
- during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
- and the version of the actual struct is irrelevant.
- 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
- will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
-
-
- Instead of using this type, create a locally provided and used type that is well-focused on your reference.
- For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
+ description: ObjectReference contains enough information to
+ let you inspect or modify the referred object.
properties:
apiVersion:
description: API version of the referent.
type: string
@@ -236,9 +222,8 @@
"spec.containers{name}" (where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined way of
referencing a part of an object.
- TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
description: |-
Kind of the referent.
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: ephemeralreports.reports.kyverno.io
spec:
group: reports.kyverno.io
names:
@@ -186,13 +186,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -205,26 +207,10 @@
resources:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: |-
- ObjectReference contains enough information to let you inspect or modify the referred object.
- ---
- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
- 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
- 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
- restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
- Those cannot be well described when embedded.
- 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
- 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
- during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
- and the version of the actual struct is irrelevant.
- 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
- will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
-
-
- Instead of using this type, create a locally provided and used type that is well-focused on your reference.
- For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
+ description: ObjectReference contains enough information to
+ let you inspect or modify the referred object.
properties:
apiVersion:
description: API version of the referent.
type: string
@@ -236,9 +222,8 @@
"spec.containers{name}" (where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined way of
referencing a part of an object.
- TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
description: |-
Kind of the referent.
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: clusterpolicyreports.wgpolicyk8s.io
spec:
group: wgpolicyk8s.io
names:
@@ -126,13 +126,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -145,26 +147,10 @@
resources:
description: Subjects is an optional reference to the checked Kubernetes
resources
items:
- description: |-
- ObjectReference contains enough information to let you inspect or modify the referred object.
- ---
- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
- 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
- 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
- restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
- Those cannot be well described when embedded.
- 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
- 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
- during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
- and the version of the actual struct is irrelevant.
- 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
- will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
-
-
- Instead of using this type, create a locally provided and used type that is well-focused on your reference.
- For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
+ description: ObjectReference contains enough information to let
+ you inspect or modify the referred object.
properties:
apiVersion:
description: API version of the referent.
type: string
@@ -176,9 +162,8 @@
"spec.containers{name}" (where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined way of
referencing a part of an object.
- TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
description: |-
Kind of the referent.
@@ -277,9 +262,8 @@
"spec.containers{name}" (where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined way of
referencing a part of an object.
- TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
description: |-
Kind of the referent.
@@ -337,13 +321,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: policyreports.wgpolicyk8s.io
spec:
group: wgpolicyk8s.io
names:
@@ -125,13 +125,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -144,26 +146,10 @@
resources:
description: Subjects is an optional reference to the checked Kubernetes
resources
items:
- description: |-
- ObjectReference contains enough information to let you inspect or modify the referred object.
- ---
- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
- 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
- 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
- restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
- Those cannot be well described when embedded.
- 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
- 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
- during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
- and the version of the actual struct is irrelevant.
- 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
- will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
-
-
- Instead of using this type, create a locally provided and used type that is well-focused on your reference.
- For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
+ description: ObjectReference contains enough information to let
+ you inspect or modify the referred object.
properties:
apiVersion:
description: API version of the referent.
type: string
@@ -175,9 +161,8 @@
"spec.containers{name}" (where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined way of
referencing a part of an object.
- TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
description: |-
Kind of the referent.
@@ -276,9 +261,8 @@
"spec.containers{name}" (where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined way of
referencing a part of an object.
- TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
description: |-
Kind of the referent.
@@ -336,13 +320,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrole.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrole.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrole.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrole.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -8,13 +8,15 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-admission-controller: "true"
+ - matchLabels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/part-of: release-name-kyverno
---
@@ -27,10 +29,10 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
@@ -71,12 +73,8 @@
- updaterequests
- updaterequests/status
- globalcontextentries
- globalcontextentries/status
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- policyexceptions
verbs:
- create
- delete
@@ -150,12 +148,4 @@
- patch
- get
- list
- watch
- - apiGroups:
- - '*'
- resources:
- - '*'
- verbs:
- - get
- - list
- - watch
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml 2024-11-22 16:44:28.392438480 +0000
@@ -8,14 +8,35 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-kyverno:admission-controller
subjects:
- kind: ServiceAccount
name: kyverno-admission-controller
namespace: default
+---
+# Source: sx-kyverno/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: release-name-kyverno:admission-controller:view
+ labels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: release-name
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: release-name-kyverno
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: view
+subjects:
+ - kind: ServiceAccount
+ name: kyverno-admission-controller
+ namespace: default
diff -U 4 -r out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/deployment.yaml out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/deployment.yaml
--- out/target/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/deployment.yaml 2024-11-22 16:44:59.716263200 +0000
+++ out/pr/kyverno/values-metalstack.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/deployment.yaml 2024-11-22 16:44:28.396438462 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
replicas: 1
revisionHistoryLimit: 10
strategy:
@@ -31,10 +31,10 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
dnsPolicy: ClusterFirst
affinity:
podAntiAffinity:
@@ -50,9 +50,9 @@
weight: 1
serviceAccountName: kyverno-admission-controller
initContainers:
- name: kyverno-pre
- image: "ghcr.io/kyverno/kyvernopre:v1.12.6"
+ image: "ghcr.io/kyverno/kyvernopre:v1.13.1"
imagePullPolicy: IfNotPresent
args:
- --loggingFormat=text
- --v=2
@@ -65,8 +65,10 @@
memory: 64Mi
env:
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-admission-controller
+ - name: KYVERNO_ROLE_NAME
+ value: release-name-kyverno:admission-controller
- name: INIT_CONFIG
value: release-name-kyverno
- name: METRICS_CONFIG
value: release-name-kyverno-metrics
@@ -83,16 +85,18 @@
- name: KYVERNO_SVC
value: release-name-kyverno-svc
containers:
- name: kyverno
- image: "ghcr.io/kyverno/kyverno:v1.12.6"
+ image: "ghcr.io/kyverno/kyverno:v1.13.1"
imagePullPolicy: IfNotPresent
args:
- --caSecretName=release-name-kyverno-svc.default.svc.kyverno-tls-ca
- --tlsSecretName=release-name-kyverno-svc.default.svc.kyverno-tls-pair
- --backgroundServiceAccountName=system:serviceaccount:default:kyverno-background-controller
+ - --reportsServiceAccountName=system:serviceaccount:default:kyverno-reports-controller
- --servicePort=443
- --webhookServerPort=9443
+ - --resyncPeriod=15m
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
- --admissionReports=true
@@ -102,16 +106,18 @@
- --enableDeferredLoading=true
- --dumpPayload=false
- --forceFailurePolicyIgnore=false
- --generateValidatingAdmissionPolicy=false
+ - --dumpPatches=false
- --maxAPICallResponseLength=2000000
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyApplied,PolicySkipped
- - --enablePolicyException=true
+ - --enablePolicyException=false
- --protectManagedResources=false
- --allowInsecureRegistry=false
- --registryCredentialHelpers=default,google,amazon,azure,github
+ - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
resources:
limits:
memory: 1Gi
@@ -140,8 +146,10 @@
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-admission-controller
+ - name: KYVERNO_ROLE_NAME
+ value: release-name-kyverno:admission-controller
- name: KYVERNO_SVC
value: release-name-kyverno-svc
- name: TUF_ROOT
value: /.sigstore |
Changes Rendered Chartdiff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml 2024-11-22 16:45:00.512259689 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml 2024-11-22 16:44:29.212434748 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: clustercleanuppolicies.kyverno.io
spec:
group: kyverno.io
names:
@@ -157,8 +157,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -182,8 +193,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -193,8 +209,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET or POST).
+ Defaults to GET.
enum:
- GET
- POST
type: string
@@ -208,8 +225,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP headers
+ to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -253,8 +286,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -326,15 +361,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -349,422 +390,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
- required:
- - kind
- - name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- any:
- description: Any allows specifying resources which will be ORed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
+ not:
required:
- - kind
- name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- type: object
- match:
- description: |-
- MatchResources defines when cleanuppolicy should be applied. The match
- criteria can include resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the user name or role.
- At least one kind is required.
- properties:
- all:
- description: All allows specifying resources which will be ANDed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -824,13 +455,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -894,13 +527,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -966,813 +601,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
- required:
- - kind
- - name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- type: object
- schedule:
- description: The schedule in Cron format
- type: string
- required:
- - schedule
- type: object
- status:
- description: Status contains policy runtime data.
- properties:
- conditions:
- items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- lastExecutionTime:
- format: date-time
- type: string
- type: object
- required:
- - spec
- type: object
- served: true
- storage: false
- subresources:
- status: {}
- - additionalPrinterColumns:
- - jsonPath: .spec.schedule
- name: Schedule
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v2alpha1
- schema:
- openAPIV3Schema:
- description: ClusterCleanupPolicy defines rule for resource cleanup.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Spec declares policy behaviors.
- properties:
- conditions:
- description: Conditions defines the conditions used to select the
- resources which will be cleaned up.
- properties:
- all:
- description: |-
- AllConditions enable variable-based conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition can reference object data
- using JMESPath notation.
- Here, all of the conditions need to pass.
- items:
- properties:
- key:
- description: Key is the context entry (using JMESPath) for
- conditional rule evaluation.
- x-kubernetes-preserve-unknown-fields: true
- message:
- description: Message is an optional display message
- type: string
- operator:
- description: |-
- Operator is the conditional operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan
- enum:
- - Equals
- - NotEquals
- - AnyIn
- - AllIn
- - AnyNotIn
- - AllNotIn
- - GreaterThanOrEquals
- - GreaterThan
- - LessThanOrEquals
- - LessThan
- - DurationGreaterThanOrEquals
- - DurationGreaterThan
- - DurationLessThanOrEquals
- - DurationLessThan
- type: string
- value:
- description: |-
- Value is the conditional value, or set of values. The values can be fixed set
- or can be variables declared using JMESPath.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: array
- any:
- description: |-
- AnyConditions enable variable-based conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition can reference object data
- using JMESPath notation.
- Here, at least one of the conditions need to pass.
- items:
- properties:
- key:
- description: Key is the context entry (using JMESPath) for
- conditional rule evaluation.
- x-kubernetes-preserve-unknown-fields: true
- message:
- description: Message is an optional display message
- type: string
- operator:
- description: |-
- Operator is the conditional operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan
- enum:
- - Equals
- - NotEquals
- - AnyIn
- - AllIn
- - AnyNotIn
- - AllNotIn
- - GreaterThanOrEquals
- - GreaterThan
- - LessThanOrEquals
- - LessThan
- - DurationGreaterThanOrEquals
- - DurationGreaterThan
- - DurationLessThanOrEquals
- - DurationLessThan
- type: string
- value:
- description: |-
- Value is the conditional value, or set of values. The values can be fixed set
- or can be variables declared using JMESPath.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: array
- type: object
- context:
- description: Context defines variables and data sources that can be
- used during rule execution.
- items:
- description: |-
- ContextEntry adds variables and data sources to a rule Context. Either a
- ConfigMap reference or a APILookup must be provided.
- properties:
- apiCall:
- description: |-
- APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
- The data returned is stored in the context with the name for the context entry.
- properties:
- data:
- description: |-
- The data object specifies the POST data sent to the server.
- Only applicable when the method field is set to POST.
- items:
- description: RequestData contains the HTTP POST data
- properties:
- key:
- description: Key is a unique identifier for the data
- value
- type: string
- value:
- description: Value is the data value
- x-kubernetes-preserve-unknown-fields: true
- required:
- - key
- - value
- type: object
- type: array
- jmesPath:
- description: |-
- JMESPath is an optional JSON Match Expression that can be used to
- transform the JSON response returned from the server. For example
- a JMESPath of "items | length(@)" applied to the API server response
- for the URLPath "/apis/apps/v1/deployments" will return the total count
- of deployments across all namespaces.
- type: string
- method:
- default: GET
- description: Method is the HTTP request type (GET or POST).
- enum:
- - GET
- - POST
- type: string
- service:
- description: |-
- Service is an API call to a JSON web service.
- This is used for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath field.
- properties:
- caBundle:
- description: |-
- CABundle is a PEM encoded CA bundle which will be used to validate
- the server certificate.
- type: string
- url:
- description: |-
- URL is the JSON web service URL. A typical form is
- `https://{service}.{namespace}:{port}/{path}`.
- type: string
- required:
- - url
- type: object
- urlPath:
- description: |-
- URLPath is the URL path to be used in the HTTP GET or POST request to the
- Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the `kubectl get --raw` command.
- See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details.
- It's mutually exclusive with the Service field.
- type: string
- type: object
- configMap:
- description: ConfigMap is the ConfigMap reference.
- properties:
- name:
- description: Name is the ConfigMap name.
- type: string
- namespace:
- description: Namespace is the ConfigMap namespace.
- type: string
- required:
- - name
- type: object
- globalReference:
- description: GlobalContextEntryReference is a reference to a
- cached global context entry.
- properties:
- jmesPath:
- description: |-
- JMESPath is an optional JSON Match Expression that can be used to
- transform the JSON response returned from the server. For example
- a JMESPath of "items | length(@)" applied to the API server response
- for the URLPath "/apis/apps/v1/deployments" will return the total count
- of deployments across all namespaces.
- type: string
- name:
- description: Name of the global context entry
- type: string
- type: object
- imageRegistry:
- description: |-
- ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
- details.
- properties:
- imageRegistryCredentials:
- description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
- properties:
- allowInsecureRegistry:
- description: AllowInsecureRegistry allows insecure access
- to a registry.
- type: boolean
- providers:
- description: |-
- Providers specifies a list of OCI Registry names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.
- items:
- description: ImageRegistryCredentialsProvidersType
- provides the list of credential providers required.
- enum:
- - default
- - amazon
- - azure
- - google
- - github
- type: string
- type: array
- secrets:
- description: |-
- Secrets specifies a list of secrets that are provided for credentials.
- Secrets must live in the Kyverno namespace.
- items:
- type: string
- type: array
- type: object
- jmesPath:
- description: |-
- JMESPath is an optional JSON Match Expression that can be used to
- transform the ImageData struct returned as a result of processing
- the image reference.
- type: string
- reference:
- description: |-
- Reference is image reference to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest
- type: string
- required:
- - reference
- type: object
- name:
- description: Name is the variable name.
- type: string
- variable:
- description: Variable defines an arbitrary JMESPath context
- variable that can be defined inline.
- properties:
- default:
- description: |-
- Default is an optional arbitrary JSON object that the variable may take if the JMESPath
- expression evaluates to nil
- x-kubernetes-preserve-unknown-fields: true
- jmesPath:
- description: |-
- JMESPath is an optional JMESPath Expression that can be used to
- transform the variable.
- type: string
- value:
- description: Value is any arbitrary JSON object representable
- in YAML or JSON form.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- exclude:
- description: |-
- ExcludeResources defines when cleanuppolicy should not be applied. The exclude
- criteria can include resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the name or role.
- properties:
- all:
- description: All allows specifying resources which will be ANDed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
+ not:
required:
- - kind
- name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- any:
- description: Any allows specifying resources which will be ORed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1832,13 +666,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1902,13 +738,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1966,8 +804,12 @@
MatchResources defines when cleanuppolicy should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -1982,8 +824,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -2043,13 +889,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2113,13 +961,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2185,8 +1035,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -2246,13 +1100,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2316,13 +1172,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2378,25 +1236,18 @@
schedule:
description: The schedule in Cron format
type: string
required:
+ - match
- schedule
type: object
status:
description: Status contains policy runtime data.
properties:
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -2435,14 +1286,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -2459,10 +1305,10 @@
type: object
required:
- spec
type: object
- served: false
- storage: false
+ served: true
+ storage: true
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.schedule
@@ -2470,8 +1316,9 @@
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ deprecated: true
name: v2beta1
schema:
openAPIV3Schema:
description: ClusterCleanupPolicy defines rule for resource cleanup.
@@ -2595,8 +1442,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -2620,8 +1478,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -2631,8 +1494,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET or POST).
+ Defaults to GET.
enum:
- GET
- POST
type: string
@@ -2646,8 +1510,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP headers
+ to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -2691,8 +1571,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -2764,15 +1646,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -2787,8 +1675,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -2848,13 +1740,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2918,13 +1812,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2990,8 +1886,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -3051,13 +1951,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3121,13 +2023,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3185,8 +2089,12 @@
MatchResources defines when cleanuppolicy should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -3201,8 +2109,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -3262,13 +2174,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3332,13 +2246,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3404,8 +2320,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -3465,13 +2385,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3535,13 +2457,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3597,25 +2521,18 @@
schedule:
description: The schedule in Cron format
type: string
required:
+ - match
- schedule
type: object
status:
description: Status contains policy runtime data.
properties:
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -3654,14 +2571,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -3679,7 +2591,7 @@
required:
- spec
type: object
served: true
- storage: true
+ storage: false
subresources:
status: {} |
Changes Rendered Chartdiff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml 2024-11-22 16:45:00.512259689 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml 2024-11-22 16:44:29.212434748 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: clusterpolicies.kyverno.io
spec:
group: kyverno.io
names:
@@ -32,11 +32,8 @@
type: boolean
- jsonPath: .spec.background
name: BACKGROUND
type: boolean
- - jsonPath: .spec.validationFailureAction
- name: VALIDATE ACTION
- type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
@@ -113,31 +110,31 @@
Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
- failurePolicy:
+ emitWarning:
+ default: false
description: |-
- FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
- Rules within the same policy share the same failure behavior.
- This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
- Allowed values are Ignore or Fail. Defaults to Fail.
+ EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit.
+ Enabling this option will extend admission request processing times. The default value is "false".
+ type: boolean
+ failurePolicy:
+ description: Deprecated, use failurePolicy under the webhookConfiguration
+ instead.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: |-
- GenerateExisting controls whether to trigger generate rule in existing resources
- If is set to "true" generate rule will be triggered and applied to existing matched resources.
- Defaults to "false" if not specified.
+ description: Deprecated, use generateExisting under the generate rule
+ instead
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: |-
- MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
- Default value is "false".
+ description: Deprecated, use mutateExistingOnPolicyUpdate under the
+ mutate rule instead
type: boolean
rules:
description: |-
Rules is a list of Rule instances. A Policy contains multiple rules and
@@ -153,16 +150,15 @@
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
- by fulfilled for a request to be sent to a webhook.
+ be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -170,9 +166,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -183,9 +178,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -198,8 +192,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -224,8 +229,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -235,9 +245,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -251,8 +261,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP
+ headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -296,8 +322,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -370,15 +398,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -394,8 +428,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -456,13 +494,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -527,13 +567,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -600,8 +642,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -662,13 +708,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -733,13 +781,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -802,8 +852,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -863,13 +917,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -933,13 +989,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1051,13 +1109,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1073,8 +1133,453 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list of
+ sub-elements by creating a context for each entry in the
+ list and looping over it to apply the specified logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data sources
+ that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains the
+ HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference is
+ a reference to a cached global context entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials provides
+ credentials that will be used for authentication
+ with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry allows
+ insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary JMESPath
+ context variable that can be defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary JSON
+ object representable in YAML or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -1146,8 +1651,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -1163,8 +1672,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1225,13 +1738,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1296,13 +1811,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1369,8 +1886,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1431,13 +1952,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1502,13 +2025,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1571,8 +2096,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1632,13 +2161,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1702,13 +2233,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1778,8 +2311,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -1804,8 +2348,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -1815,9 +2364,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -1831,8 +2380,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -1878,8 +2446,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -1953,8 +2523,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach iterator
@@ -2090,8 +2662,12 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if the
+ mutateExisting rule will be applied on policy events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -2118,8 +2694,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -2144,8 +2731,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -2155,9 +2747,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -2171,8 +2763,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -2218,8 +2829,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -2293,8 +2906,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -2312,8 +2927,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -2331,8 +2994,14 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ reportProperties:
+ additionalProperties:
+ type: string
+ description: ReportProperties are the additional properties
+ from the rule that will be added to the policy report result
+ type: object
skipBackgroundRequests:
default: true
description: |-
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
@@ -2341,13 +3010,22 @@
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
+ allowExistingViolations:
+ default: true
+ description: AllowExistingViolations allows prexisting violating
+ resources to continue violating a policy.
+ type: boolean
anyPattern:
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -2364,21 +3042,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -2390,15 +3065,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -2416,9 +3089,9 @@
description: "Expression represents the expression
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents of the
API request/response, organized into CEL variables
- as well as some other useful variables:\n\n\n-
+ as well as some other useful variables:\n\n-
'object' - The object from the incoming request.
The value is null for DELETE requests.\n- 'oldObject'
- The existing object. The value is null for
CREATE requests.\n- 'request' - Attributes of
@@ -2436,12 +3109,12 @@
checks for the principal (user or service account)
of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names are
escaped according to the following rules when
accessed in the expression:\n- '__' escapes
@@ -2459,9 +3132,9 @@
\ - Expression accessing a property named \"x-prop\":
{\"Expression\": \"object.x__dash__prop > 0\"}\n
\ - Expression accessing a property named \"redact__d\":
{\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list type
+ > 0\"}\n\nEquality on arrays with list type
of 'set' or 'map' ignores element order, i.e.
[1, 2] == [2, 1].\nConcatenation on arrays with
x-kubernetes-list-type use the semantics of
the list type:\n - 'set': `X + Y` performs
@@ -2533,29 +3206,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -2568,22 +3241,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -2612,13 +3283,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2636,9 +3309,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is defined
+ as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -2653,8 +3327,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -2667,8 +3342,89 @@
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the policy
+ validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
list and looping over it to apply the specified logic.
@@ -2689,8 +3445,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -2715,8 +3482,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -2726,9 +3498,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -2742,8 +3514,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -2789,8 +3580,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -2864,8 +3657,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -3071,8 +3866,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -3121,13 +3922,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -3157,8 +3969,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used
+ for keyless signing, for example the
+ email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -3177,8 +3995,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -3234,18 +4058,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -3472,8 +4301,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -3522,13 +4357,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -3558,8 +4404,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -3578,8 +4430,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -3636,19 +4494,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -3763,8 +4625,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type', to
be removed soon
type: string
@@ -3832,8 +4697,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -3881,13 +4752,24 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -3916,8 +4798,14 @@
description: Subject is the verified identity
used for keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used for
+ keyless signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one or more public
keys.
@@ -3936,8 +4824,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -3992,22 +4886,38 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values are
- sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm for
+ public keys. Supported values are sha224,
+ sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
@@ -4091,26 +5001,50 @@
type: string
type:
description: |-
Type specifies the method of signature validation. The allowed options
- are Cosign and Notary. By default Cosign is used if a type is not specified.
+ are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message to
+ be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have a
digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
schemaValidation:
@@ -4123,23 +5057,19 @@
Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: |-
- ValidationFailureAction defines if a validation policy rule violation should block
- the admission review request (enforce), or allow (audit) the admission review request
- and report an error in a policy report. Optional.
- Allowed values are audit or enforce. The default value is "Audit".
+ description: Deprecated, use validationFailureAction under the validate
+ rule instead.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
- description: |-
- ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
- namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+ description: Deprecated, use validationFailureActionOverrides under
+ the validate rule instead.
items:
properties:
action:
description: ValidationFailureAction defines the policy validation
@@ -4181,13 +5111,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4203,14 +5135,25 @@
type: array
type: object
type: array
webhookConfiguration:
- description: |-
- WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
- Requires Kubernetes 1.27 or later.
+ description: WebhookConfiguration specifies the custom configuration
+ for Kubernetes admission webhookconfiguration.
properties:
+ failurePolicy:
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
+ Allowed values are Ignore or Fail. Defaults to Fail.
+ enum:
+ - Ignore
+ - Fail
+ type: string
matchConditions:
- description: MatchCondition configures admission webhook matchConditions.
+ description: |-
+ MatchCondition configures admission webhook matchConditions.
+ Requires Kubernetes 1.27 or later.
items:
de```
</details> |
Changes Rendered Chartscription: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
@@ -4218,9 +5161,8 @@
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -4228,9 +5170,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -4241,22 +5182,26 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
- name
type: object
type: array
+ timeoutSeconds:
+ description: |-
+ TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ format: int32
+ type: integer
type: object
webhookTimeoutSeconds:
- description: |-
- WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
- After the configured time expires, the admission request may fail, or may simply ignore the policy results,
- based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
+ instead.
format: int32
type: integer
type: object
status:
@@ -4279,16 +5224,15 @@
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
- must by fulfilled for a request to be sent to a webhook.
+ must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -4296,9 +5240,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -4309,9 +5252,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -4324,8 +5266,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -4350,8 +5303,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -4361,9 +5319,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -4377,8 +5335,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -4422,8 +5396,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -4497,15 +5473,21 @@
description: Value is any arbitrary JSON object
representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -4521,8 +5503,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -4583,13 +5569,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4655,13 +5643,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4728,8 +5718,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -4790,13 +5784,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4862,13 +5858,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4931,8 +5929,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -4993,13 +5995,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5064,13 +6068,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5185,13 +6191,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5207,8 +6215,461 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list
+ of sub-elements by creating a context for each entry
+ in the list and looping over it to apply the specified
+ logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data
+ sources that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains
+ the HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data
+ value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap
+ reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference
+ is a reference to a cached global context
+ entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials
+ provides credentials that will be
+ used for authentication with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry
+ allows insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary
+ JMESPath context variable that can be
+ defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary
+ JSON object representable in YAML
+ or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -5280,8 +6741,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -5297,8 +6762,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -5359,13 +6828,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5431,13 +6902,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5504,8 +6977,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -5566,13 +7043,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5638,13 +7117,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5707,8 +7188,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -5769,13 +7254,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5840,13 +7327,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5917,8 +7406,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -5944,8 +7444,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -5955,9 +7460,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -5971,8 +7476,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -6020,8 +7544,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -6097,8 +7623,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach
@@ -6237,8 +7765,13 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if
+ the mutateExisting rule will be applied on policy
+ events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -6265,8 +7798,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -6292,8 +7836,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -6303,9 +7852,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -6319,8 +7868,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -6368,8 +7936,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -6445,8 +8015,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -6464,8 +8036,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -6483,8 +8103,15 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ reportProperties:
+ additionalProperties:
+ type: string
+ description: ReportProperties are the additional properties
+ from the rule that will be added to the policy report
+ result
+ type: object
skipBackgroundRequests:
default: true
description: |-
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
@@ -6493,13 +8120,23 @@
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
+ allowExistingViolations:
+ default: true
+ description: AllowExistingViolations allows prexisting
+ violating resources to continue violating a policy.
+ type: boolean
anyPattern:
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion
+ tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -6516,21 +8153,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -6542,15 +8176,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -6569,14 +8201,14 @@
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables:\n\n\n- 'object' - The object
- from the incoming request. The value is
- null for DELETE requests.\n- 'oldObject'
- - The existing object. The value is null
- for CREATE requests.\n- 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ variables:\n\n- 'object' - The object from
+ the incoming request. The value is null
+ for DELETE requests.\n- 'oldObject' - The
+ existing object. The value is null for CREATE
+ requests.\n- 'request' - Attributes of the
+ API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
'params' - Parameter resource referred to
by the policy binding being evaluated. Only
populated if the policy has a ParamKind.\n-
'namespaceObject' - The namespace object
@@ -6591,12 +8223,12 @@
or service account) of the request.\n See
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names
are escaped according to the following rules
when accessed in the expression:\n- '__'
@@ -6615,10 +8247,10 @@
> 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
> 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list
- type of 'set' or 'map' ignores element order,
+ > 0\"}\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order,
i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
semantics of the list type:\n - 'set':
`X + Y` performs a union where the array
@@ -6690,29 +8322,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -6725,22 +8357,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -6769,13 +8399,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -6793,9 +8425,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is
+ defined as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -6810,8 +8443,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or
@@ -6824,8 +8458,89 @@
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the
+ policy validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
in the list and looping over it to apply the specified
@@ -6847,8 +8562,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -6874,8 +8600,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -6885,9 +8616,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -6901,8 +8632,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -6950,8 +8700,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -7027,8 +8779,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -7238,8 +8992,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -7288,13 +9048,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -7324,8 +9095,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -7344,8 +9121,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -7402,19 +9185,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -7642,8 +9429,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -7694,13 +9487,25 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is
+ the regular expression to
+ match certificate issuer used
+ for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -7732,8 +9537,15 @@
verified identity used for
keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is
+ the regular expression to
+ match identity used for keyless
+ signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one
or more public keys.
@@ -7753,8 +9565,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -7813,19 +9631,25 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature
- algorithm for public keys.
- Supported values are sha224,
- sha256, sha384 and sha512.
+ description: Deprecated. Use
+ attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and
+ sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -7940,8 +9764,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type',
to be removed soon
type: string
@@ -8009,8 +9836,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -8059,13 +9892,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -8095,8 +9939,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for example
+ the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -8115,8 +9965,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -8173,22 +10029,38 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ ```
</details> |
Changes Rendered Chart for public keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
@@ -8273,42 +10145,58 @@
type: string
type:
description: |-
Type specifies the method of signature validation. The allowed options
- are Cosign and Notary. By default Cosign is used if a type is not specified.
+ are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message
+ to be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have
a digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
type: object
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -8347,14 +10235,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -8406,10 +10289,8 @@
required:
- generated
- message
type: object
- required:
- - ready
type: object
required:
- spec
type: object
@@ -8423,11 +10304,8 @@
type: boolean
- jsonPath: .spec.background
name: BACKGROUND
type: boolean
- - jsonPath: .spec.validationFailureAction
- name: VALIDATE ACTION
- type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
@@ -8504,30 +10382,31 @@
Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
- failurePolicy:
+ emitWarning:
+ default: false
description: |-
- FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
- Rules within the same policy share the same failure behavior.
- Allowed values are Ignore or Fail. Defaults to Fail.
+ EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit.
+ Enabling this option will extend admission request processing times. The default value is "false".
+ type: boolean
+ failurePolicy:
+ description: Deprecated, use failurePolicy under the webhookConfiguration
+ instead.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: |-
- GenerateExisting controls whether to trigger generate rule in existing resources
- If is set to "true" generate rule will be triggered and applied to existing matched resources.
- Defaults to "false" if not specified.
+ description: Deprecated, use generateExisting under the generate rule
+ instead
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: |-
- MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
- Default value is "false".
+ description: Deprecated, use mutateExistingOnPolicyUpdate under the
+ mutate rule instead
type: boolean
rules:
description: |-
Rules is a list of Rule instances. A Policy contains multiple rules and
@@ -8550,9 +10429,8 @@
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -8560,9 +10438,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -8573,9 +10450,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -8588,8 +10464,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -8614,8 +10501,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -8625,9 +10517,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -8641,8 +10533,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP
+ headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -8686,8 +10594,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -8760,15 +10670,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -8784,8 +10700,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -8846,13 +10766,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -8917,13 +10839,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -8990,8 +10914,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -9052,13 +10980,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9123,13 +11053,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9243,13 +11175,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9265,8 +11199,453 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list of
+ sub-elements by creating a context for each entry in the
+ list and looping over it to apply the specified logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data sources
+ that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains the
+ HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference is
+ a reference to a cached global context entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials provides
+ credentials that will be used for authentication
+ with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry allows
+ insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary JMESPath
+ context variable that can be defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary JSON
+ object representable in YAML or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -9338,8 +11717,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -9355,8 +11738,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -9417,13 +11804,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9488,13 +11877,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9561,8 +11952,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -9623,13 +12018,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9694,13 +12091,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9772,8 +12171,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -9798,8 +12208,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -9809,9 +12224,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -9825,8 +12240,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -9872,8 +12306,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -9947,8 +12383,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach iterator
@@ -10084,8 +12522,12 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if the
+ mutateExisting rule will be applied on policy events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -10112,8 +12554,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -10138,8 +12591,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -10149,9 +12607,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -10165,8 +12623,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -10212,8 +12689,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -10287,8 +12766,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -10306,8 +12787,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -10427,8 +12956,12 @@
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -10445,21 +12978,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -10471,15 +13001,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -10497,9 +13025,9 @@
description: "Expression represents the expression
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents of the
API request/response, organized into CEL variables
- as well as some other useful variables:\n\n\n-
+ as well as some other useful variables:\n\n-
'object' - The object from the incoming request.
The value is null for DELETE requests.\n- 'oldObject'
- The existing object. The value is null for
CREATE requests.\n- 'request' - Attributes of
@@ -10517,12 +13045,12 @@
checks for the principal (user or service account)
of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names are
escaped according to the following rules when
accessed in the expression:\n- '__' escapes
@@ -10540,9 +13068,9 @@
\ - Expression accessing a property named \"x-prop\":
{\"Expression\": \"object.x__dash__prop > 0\"}\n
\ - Expression accessing a property named \"redact__d\":
{\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list type
+ > 0\"}\n\nEquality on arrays with list type
of 'set' or 'map' ignores element order, i.e.
[1, 2] == [2, 1].\nConcatenation on arrays with
x-kubernetes-list-type use the semantics of
the list type:\n - 'set': `X + Y` performs
@@ -10614,29 +13142,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -10649,22 +13177,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -10693,13 +13219,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -10717,9 +13245,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is defined
+ as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -10734,8 +13263,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -10837,8 +13367,89 @@
type: object
type: array
type: object
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the policy
+ validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
list and looping over it to apply the specified logic.
@@ -10859,8 +13470,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -10885,8 +13507,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -10896,9 +13523,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -10912,8 +13539,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -10959,8 +13605,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -11034,8 +13682,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -11241,8 +13891,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -11291,13 +13947,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -11327,8 +13994,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used
+ for keyless signing, for example the
+ email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -11347,8 +14020,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -11404,18 +14083,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -11631,8 +14315,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -11681,13 +14371,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -11717,8 +14418,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -11737,8 +14444,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -11795,19 +14508,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -11922,8 +14639,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type', to
be removed soon
type: string
@@ -11991,8 +14711,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -12040,13 +14766,24 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -12075,8 +14812,14 @@
description: Subject is the verified identity
used for keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used for
+ keyless signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one or more public
keys.
@@ -12095,8 +14838,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -12151,22 +14900,33 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values are
- sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm for
+ public keys. Supported values are sha224,
+ sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
imageReferences:
description: |-
ImageReferences is a list of matching image reference patterns. At least one pattern in the
list must match the image for the rule to apply. Each image reference consists of a registry
@@ -12238,23 +14998,47 @@
Type specifies the method of signature validation. The allowed options
are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message to
+ be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have a
digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
schemaValidation:
@@ -12267,23 +15051,19 @@
Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: |-
- ValidationFailureAction defines if a validation policy rule violation should block
- the admission review request (enforce), or allow (audit) the admission review request
- and report an error in a policy report. Optional.
- Allowed values are audit or enforce. The default value is "Audit".
+ description: Deprecated, use validationFailureAction under the validate
+ rule instead.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
- description: |-
- ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
- namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+ description: Deprecated, use validationFailureActionOverrides under
+ the validate rule instead.
items:
properties:
action:
description: ValidationFailureAction defines the policy validation
@@ -12325,13 +15105,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -12347,14 +15129,25 @@
type: array
type: object
type: array
webhookConfiguration:
- description: |-
- WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
- Requires Kubernetes 1.27 or later.
+ description: WebhookConfiguration specifies the custom configuration
+ for Kubernetes admission webhookconfiguration.
properties:
+ failurePolicy:
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
+ Allowed values are Ignore or Fail. Defaults to Fail.
+ enum:
+ - Ignore
+ - Fail
+ type: string
matchConditions:
- description: MatchCondition configures admission webhook matchConditions.
+ description: |-
+ MatchCondition configures admission webhook matchConditions.
+ Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
@@ -12362,9 +15155,8 @@
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -12372,9 +15164,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name```
</details> |
Changes Rendered Chart:
description: |-
@@ -12385,22 +15176,26 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
- name
type: object
type: array
+ timeoutSeconds:
+ description: |-
+ TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ format: int32
+ type: integer
type: object
webhookTimeoutSeconds:
- description: |-
- WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
- After the configured time expires, the admission request may fail, or may simply ignore the policy results,
- based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
+ instead.
format: int32
type: integer
type: object
status:
@@ -12423,16 +15218,15 @@
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
- must by fulfilled for a request to be sent to a webhook.
+ must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -12440,9 +15234,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -12453,9 +15246,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -12468,8 +15260,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -12494,8 +15297,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -12505,9 +15313,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -12521,8 +15329,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -12566,8 +15390,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -12641,15 +15467,21 @@
description: Value is any arbitrary JSON object
representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -12665,8 +15497,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -12727,13 +15563,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -12799,13 +15637,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -12872,8 +15712,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -12934,13 +15778,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13006,13 +15852,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13075,8 +15923,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13137,13 +15989,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13208,13 +16062,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13329,13 +16185,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13351,8 +16209,461 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list
+ of sub-elements by creating a context for each entry
+ in the list and looping over it to apply the specified
+ logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data
+ sources that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains
+ the HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data
+ value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap
+ reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference
+ is a reference to a cached global context
+ entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials
+ provides credentials that will be
+ used for authentication with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry
+ allows insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary
+ JMESPath context variable that can be
+ defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary
+ JSON object representable in YAML
+ or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -13424,8 +16735,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -13441,8 +16756,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13503,13 +16822,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13575,13 +16896,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13648,8 +16971,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13710,13 +17037,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13782,13 +17111,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13851,8 +17182,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13913,13 +17248,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13984,13 +17321,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -14061,8 +17400,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -14088,8 +17438,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -14099,9 +17454,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -14115,8 +17470,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -14164,8 +17538,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -14241,8 +17617,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach
@@ -14381,8 +17759,13 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if
+ the mutateExisting rule will be applied on policy
+ events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -14409,8 +17792,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -14436,8 +17830,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -14447,9 +17846,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -14463,8 +17862,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -14512,8 +17930,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -14589,8 +18009,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -14608,8 +18030,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -14627,8 +18097,15 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ reportProperties:
+ additionalProperties:
+ type: string
+ description: ReportProperties are the additional properties
+ from the rule that will be added to the policy report
+ result
+ type: object
skipBackgroundRequests:
default: true
description: |-
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
@@ -14637,13 +18114,23 @@
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
+ allowExistingViolations:
+ default: true
+ description: AllowExistingViolations allows prexisting
+ violating resources to continue violating a policy.
+ type: boolean
anyPattern:
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion
+ tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -14660,21 +18147,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -14686,15 +18170,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -14713,14 +18195,14 @@
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables:\n\n\n- 'object' - The object
- from the incoming request. The value is
- null for DELETE requests.\n- 'oldObject'
- - The existing object. The value is null
- for CREATE requests.\n- 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ variables:\n\n- 'object' - The object from
+ the incoming request. The value is null
+ for DELETE requests.\n- 'oldObject' - The
+ existing object. The value is null for CREATE
+ requests.\n- 'request' - Attributes of the
+ API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
'params' - Parameter resource referred to
by the policy binding being evaluated. Only
populated if the policy has a ParamKind.\n-
'namespaceObject' - The namespace object
@@ -14735,12 +18217,12 @@
or service account) of the request.\n See
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names
are escaped according to the following rules
when accessed in the expression:\n- '__'
@@ -14759,10 +18241,10 @@
> 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
> 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list
- type of 'set' or 'map' ignores element order,
+ > 0\"}\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order,
i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
semantics of the list type:\n - 'set':
`X + Y` performs a union where the array
@@ -14834,29 +18316,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -14869,22 +18351,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -14913,13 +18393,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -14937,9 +18419,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is
+ defined as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -14954,8 +18437,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or
@@ -14968,8 +18452,89 @@
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the
+ policy validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
in the list and looping over it to apply the specified
@@ -14991,8 +18556,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -15018,8 +18594,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -15029,9 +18610,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -15045,8 +18626,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -15094,8 +18694,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -15171,8 +18773,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -15382,8 +18986,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -15432,13 +19042,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -15468,8 +19089,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -15488,8 +19115,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -15546,19 +19179,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -15786,8 +19423,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -15838,13 +19481,25 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is
+ the regular expression to
+ match certificate issuer used
+ for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -15876,8 +19531,15 @@
verified identity used for
keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is
+ the regular expression to
+ match identity used for keyless
+ signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one
or more public keys.
@@ -15897,8 +19559,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -15957,19 +19625,25 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature
- algorithm for public keys.
- Supported values are sha224,
- sha256, sha384 and sha512.
+ description: Deprecated. Use
+ attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and
+ sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -16084,8 +19758,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type',
to be removed soon
type: string
@@ -16153,8 +19830,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -16203,13 +19886,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -16239,8 +19933,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for example
+ the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -16259,8 +19959,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -16317,22 +20023,38 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
@@ -16417,42 +20139,58 @@
```
</details> |
Changes Rendered Chart type: string
type:
description: |-
Type specifies the method of signature validation. The allowed options
- are Cosign and Notary. By default Cosign is used if a type is not specified.
+ are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message
+ to be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have
a digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
type: object
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -16491,14 +20229,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -16550,10 +20283,8 @@
required:
- generated
- message
type: object
- required:
- - ready
type: object
required:
- spec
type: object |
Changes Rendered Chartdiff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml 2024-11-22 16:45:00.512259689 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml 2024-11-22 16:44:29.212434748 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: globalcontextentries.kyverno.io
spec:
group: kyverno.io
names:
@@ -62,8 +62,13 @@
metadata:
type: object
spec:
description: Spec declares policy exception behaviors.
+ oneOf:
+ - required:
+ - kubernetesResource
+ - required:
+ - apiCall
properties:
apiCall:
description: |-
Stores results from an API call which will be cached.
@@ -92,9 +97,10 @@
type: object
type: array
method:
default: GET
- description: Method is the HTTP request type (GET or POST).
+ description: Method is the HTTP request type (GET or POST). Defaults
+ to GET.
enum:
- GET
- POST
type: string
@@ -105,8 +111,14 @@
The duration is a sequence of decimal numbers, each with optional fraction and a unit suffix,
such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
format: duration
type: string
+ retryLimit:
+ default: 3
+ description: RetryLimit defines the number of times the APICall
+ should be retried in case of failure.
+ minimum: 1
+ type: integer
service:
description: |-
Service is an API call to a JSON web service.
This is used for non-Kubernetes API server calls.
@@ -116,8 +128,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP headers to
+ be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -155,25 +183,20 @@
type: string
version:
description: Version defines the version of the resource.
type: string
+ required:
+ - resource
+ - version
type: object
type: object
status:
description: Status contains globalcontextentry runtime data.
properties:
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -212,14 +235,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -237,10 +255,8 @@
type: string
ready:
description: Deprecated in favor of Conditions
type: boolean
- required:
- - ready
type: object
required:
- spec
type: object |
Changes Rendered Chartdiff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml 2024-11-22 16:44:29.212434748 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: policies.kyverno.io
spec:
group: kyverno.io
names:
@@ -32,11 +32,8 @@
type: boolean
- jsonPath: .spec.background
name: BACKGROUND
type: boolean
- - jsonPath: .spec.validationFailureAction
- name: VALIDATE ACTION
- type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
@@ -114,31 +111,31 @@
Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
- failurePolicy:
+ emitWarning:
+ default: false
description: |-
- FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
- Rules within the same policy share the same failure behavior.
- This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
- Allowed values are Ignore or Fail. Defaults to Fail.
+ EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit.
+ Enabling this option will extend admission request processing times. The default value is "false".
+ type: boolean
+ failurePolicy:
+ description: Deprecated, use failurePolicy under the webhookConfiguration
+ instead.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: |-
- GenerateExisting controls whether to trigger generate rule in existing resources
- If is set to "true" generate rule will be triggered and applied to existing matched resources.
- Defaults to "false" if not specified.
+ description: Deprecated, use generateExisting under the generate rule
+ instead
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: |-
- MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
- Default value is "false".
+ description: Deprecated, use mutateExistingOnPolicyUpdate under the
+ mutate rule instead
type: boolean
rules:
description: |-
Rules is a list of Rule instances. A Policy contains multiple rules and
@@ -154,16 +151,15 @@
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
- by fulfilled for a request to be sent to a webhook.
+ be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -171,9 +167,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -184,9 +179,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -199,8 +193,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -225,8 +230,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -236,9 +246,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -252,8 +262,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP
+ headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -297,8 +323,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -371,15 +399,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -395,8 +429,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -457,13 +495,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -528,13 +568,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -601,8 +643,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -663,13 +709,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -734,13 +782,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -803,8 +853,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -864,13 +918,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -934,13 +990,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1052,13 +1110,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1074,8 +1134,453 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list of
+ sub-elements by creating a context for each entry in the
+ list and looping over it to apply the specified logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data sources
+ that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains the
+ HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference is
+ a reference to a cached global context entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials provides
+ credentials that will be used for authentication
+ with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry allows
+ insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary JMESPath
+ context variable that can be defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary JSON
+ object representable in YAML or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -1147,8 +1652,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -1164,8 +1673,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1226,13 +1739,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1297,13 +1812,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1370,8 +1887,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1432,13 +1953,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1503,13 +2026,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1572,8 +2097,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1633,13 +2162,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1703,13 +2234,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1779,8 +2312,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -1805,8 +2349,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -1816,9 +2365,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -1832,8 +2381,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -1879,8 +2447,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -1954,8 +2524,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach iterator
@@ -2091,8 +2663,12 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if the
+ mutateExisting rule will be applied on policy events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -2119,8 +2695,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -2145,8 +2732,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -2156,9 +2748,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -2172,8 +2764,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -2219,8 +2830,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -2294,8 +2907,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -2313,8 +2928,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -2332,8 +2995,14 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ reportProperties:
+ additionalProperties:
+ type: string
+ description: ReportProperties are the additional properties
+ from the rule that will be added to the policy report result
+ type: object
skipBackgroundRequests:
default: true
description: |-
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
@@ -2342,13 +3011,22 @@
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
+ allowExistingViolations:
+ default: true
+ description: AllowExistingViolations allows prexisting violating
+ resources to continue violating a policy.
+ type: boolean
anyPattern:
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -2365,21 +3043,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -2391,15 +3066,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -2417,9 +3090,9 @@
description: "Expression represents the expression
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents of the
API request/response, organized into CEL variables
- as well as some other useful variables:\n\n\n-
+ as well as some other useful variables:\n\n-
'object' - The object from the incoming request.
The value is null for DELETE requests.\n- 'oldObject'
- The existing object. The value is null for
CREATE requests.\n- 'request' - Attributes of
@@ -2437,12 +3110,12 @@
checks for the principal (user or service account)
of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names are
escaped according to the following rules when
accessed in the expression:\n- '__' escapes
@@ -2460,9 +3133,9 @@
\ - Expression accessing a property named \"x-prop\":
{\"Expression\": \"object.x__dash__prop > 0\"}\n
\ - Expression accessing a property named \"redact__d\":
{\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list type
+ > 0\"}\n\nEquality on arrays with list type
of 'set' or 'map' ignores element order, i.e.
[1, 2] == [2, 1].\nConcatenation on arrays with
x-kubernetes-list-type use the semantics of
the list type:\n - 'set': `X + Y` performs
@@ -2534,29 +3207,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -2569,22 +3242,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -2613,13 +3284,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2637,9 +3310,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is defined
+ as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -2654,8 +3328,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -2668,8 +3343,89 @@
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the policy
+ validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
list and looping over it to apply the specified logic.
@@ -2690,8 +3446,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -2716,8 +3483,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -2727,9 +3499,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -2743,8 +3515,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -2790,8 +3581,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -2865,8 +3658,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -3072,8 +3867,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -3122,13 +3923,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -3158,8 +3970,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used
+ for keyless signing, for example the
+ email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -3178,8 +3996,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -3235,18 +4059,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -3473,8 +4302,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -3523,13 +4358,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -3559,8 +4405,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -3579,8 +4431,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -3637,19 +4495,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -3764,8 +4626,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type', to
be removed soon
type: string
@@ -3833,8 +4698,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -3882,13 +4753,24 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -3917,8 +4799,14 @@
description: Subject is the verified identity
used for keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used for
+ keyless signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one or more public
keys.
@@ -3937,8 +4825,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -3993,22 +4887,38 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values are
- sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm for
+ public keys. Supported values are sha224,
+ sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
@@ -4092,26 +5002,50 @@
type: string
type:
description: |-
Type specifies the method of signature validation. The allowed options
- are Cosign and Notary. By default Cosign is used if a type is not specified.
+ are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message to
+ be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have a
digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
schemaValidation:
@@ -4124,23 +5058,19 @@
Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: |-
- ValidationFailureAction defines if a validation policy rule violation should block
- the admission review request (enforce), or allow (audit) the admission review request
- and report an error in a policy report. Optional.
- Allowed values are audit or enforce. The default value is "Audit".
+ description: Deprecated, use validationFailureAction under the validate
+ rule instead.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
- description: |-
- ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
- namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+ description: Deprecated, use validationFailureActionOverrides under
+ the validate rule instead.
items:
properties:
action:
description: ValidationFailureAction defines the policy validation
@@ -4182,13 +5112,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4204,14 +5136,25 @@
type: array
type: object
type: array
webhookConfiguration:
- description: |-
- WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
- Requires Kubernetes 1.27 or later.
+ description: WebhookConfiguration specifies the custom configuration
+ for Kubernetes admission webhookconfiguration.
properties:
+ failurePolicy:
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
+ Allowed values are Ignore or Fail. Defaults to Fail.
+ enum:
+ - Ignore
+ - Fail
+ type: string
matchConditions:
- description: MatchCondition configures admission webhook matchConditions.
+ description: |-
+ MatchCondition configures admission webhook matchConditions.
+ Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represent```
</details> |
Changes Rendered Charts a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
@@ -4219,9 +5162,8 @@
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -4229,9 +5171,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -4242,22 +5183,26 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
- name
type: object
type: array
+ timeoutSeconds:
+ description: |-
+ TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ format: int32
+ type: integer
type: object
webhookTimeoutSeconds:
- description: |-
- WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
- After the configured time expires, the admission request may fail, or may simply ignore the policy results,
- based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
+ instead.
format: int32
type: integer
type: object
status:
@@ -4281,16 +5226,15 @@
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
- must by fulfilled for a request to be sent to a webhook.
+ must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -4298,9 +5242,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -4311,9 +5254,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -4326,8 +5268,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -4352,8 +5305,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -4363,9 +5321,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -4379,8 +5337,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -4424,8 +5398,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -4499,15 +5475,21 @@
description: Value is any arbitrary JSON object
representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -4523,8 +5505,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -4585,13 +5571,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4657,13 +5645,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4730,8 +5720,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -4792,13 +5786,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4864,13 +5860,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -4933,8 +5931,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -4995,13 +5997,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5066,13 +6070,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5187,13 +6193,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5209,8 +6217,461 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list
+ of sub-elements by creating a context for each entry
+ in the list and looping over it to apply the specified
+ logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data
+ sources that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains
+ the HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data
+ value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap
+ reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference
+ is a reference to a cached global context
+ entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials
+ provides credentials that will be
+ used for authentication with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry
+ allows insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary
+ JMESPath context variable that can be
+ defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary
+ JSON object representable in YAML
+ or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -5282,8 +6743,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -5299,8 +6764,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -5361,13 +6830,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5433,13 +6904,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5506,8 +6979,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -5568,13 +7045,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5640,13 +7119,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5709,8 +7190,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -5771,13 +7256,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5842,13 +7329,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -5919,8 +7408,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -5946,8 +7446,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -5957,9 +7462,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -5973,8 +7478,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -6022,8 +7546,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -6099,8 +7625,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach
@@ -6239,8 +7767,13 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if
+ the mutateExisting rule will be applied on policy
+ events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -6267,8 +7800,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -6294,8 +7838,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -6305,9 +7854,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -6321,8 +7870,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -6370,8 +7938,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -6447,8 +8017,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -6466,8 +8038,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -6485,8 +8105,15 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ reportProperties:
+ additionalProperties:
+ type: string
+ description: ReportProperties are the additional properties
+ from the rule that will be added to the policy report
+ result
+ type: object
skipBackgroundRequests:
default: true
description: |-
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
@@ -6495,13 +8122,23 @@
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
+ allowExistingViolations:
+ default: true
+ description: AllowExistingViolations allows prexisting
+ violating resources to continue violating a policy.
+ type: boolean
anyPattern:
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion
+ tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -6518,21 +8155,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -6544,15 +8178,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -6571,14 +8203,14 @@
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables:\n\n\n- 'object' - The object
- from the incoming request. The value is
- null for DELETE requests.\n- 'oldObject'
- - The existing object. The value is null
- for CREATE requests.\n- 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ variables:\n\n- 'object' - The object from
+ the incoming request. The value is null
+ for DELETE requests.\n- 'oldObject' - The
+ existing object. The value is null for CREATE
+ requests.\n- 'request' - Attributes of the
+ API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
'params' - Parameter resource referred to
by the policy binding being evaluated. Only
populated if the policy has a ParamKind.\n-
'namespaceObject' - The namespace object
@@ -6593,12 +8225,12 @@
or service account) of the request.\n See
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names
are escaped according to the following rules
when accessed in the expression:\n- '__'
@@ -6617,10 +8249,10 @@
> 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
> 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list
- type of 'set' or 'map' ignores element order,
+ > 0\"}\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order,
i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
semantics of the list type:\n - 'set':
`X + Y` performs a union where the array
@@ -6692,29 +8324,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -6727,22 +8359,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -6771,13 +8401,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -6795,9 +8427,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is
+ defined as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -6812,8 +8445,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or
@@ -6826,8 +8460,89 @@
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the
+ policy validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
in the list and looping over it to apply the specified
@@ -6849,8 +8564,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -6876,8 +8602,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -6887,9 +8618,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -6903,8 +8634,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -6952,8 +8702,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -7029,8 +8781,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -7240,8 +8994,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -7290,13 +9050,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -7326,8 +9097,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -7346,8 +9123,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -7404,19 +9187,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -7644,8 +9431,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -7696,13 +9489,25 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is
+ the regular expression to
+ match certificate issuer used
+ for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -7734,8 +9539,15 @@
verified identity used for
keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is
+ the regular expression to
+ match identity used for keyless
+ signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one
or more public keys.
@@ -7755,8 +9567,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -7815,19 +9633,25 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature
- algorithm for public keys.
- Supported values are sha224,
- sha256, sha384 and sha512.
+ description: Deprecated. Use
+ attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and
+ sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -7942,8 +9766,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type',
to be removed soon
type: string
@@ -8011,8 +9838,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -8061,13 +9894,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -8097,8 +9941,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for example
+ the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -8117,8 +9967,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -8175,22 +10031,38 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys.```
</details> |
Changes Rendered Chart Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
@@ -8275,42 +10147,58 @@
type: string
type:
description: |-
Type specifies the method of signature validation. The allowed options
- are Cosign and Notary. By default Cosign is used if a type is not specified.
+ are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message
+ to be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have
a digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
type: object
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -8349,14 +10237,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -8408,10 +10291,8 @@
required:
- generated
- message
type: object
- required:
- - ready
type: object
required:
- spec
type: object
@@ -8425,11 +10306,8 @@
type: boolean
- jsonPath: .spec.background
name: BACKGROUND
type: boolean
- - jsonPath: .spec.validationFailureAction
- name: VALIDATE ACTION
- type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
@@ -8507,30 +10385,31 @@
Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
- failurePolicy:
+ emitWarning:
+ default: false
description: |-
- FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
- Rules within the same policy share the same failure behavior.
- Allowed values are Ignore or Fail. Defaults to Fail.
+ EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit.
+ Enabling this option will extend admission request processing times. The default value is "false".
+ type: boolean
+ failurePolicy:
+ description: Deprecated, use failurePolicy under the webhookConfiguration
+ instead.
enum:
- Ignore
- Fail
type: string
generateExisting:
- description: |-
- GenerateExisting controls whether to trigger generate rule in existing resources
- If is set to "true" generate rule will be triggered and applied to existing matched resources.
- Defaults to "false" if not specified.
+ description: Deprecated, use generateExisting under the generate rule
+ instead
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
- description: |-
- MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
- Default value is "false".
+ description: Deprecated, use mutateExistingOnPolicyUpdate under the
+ mutate rule instead
type: boolean
rules:
description: |-
Rules is a list of Rule instances. A Policy contains multiple rules and
@@ -8553,9 +10432,8 @@
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -8563,9 +10441,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -8576,9 +10453,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -8591,8 +10467,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -8617,8 +10504,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -8628,9 +10520,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -8644,8 +10536,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP
+ headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -8689,8 +10597,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -8763,15 +10673,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -8787,8 +10703,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -8849,13 +10769,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -8920,13 +10842,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -8993,8 +10917,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -9055,13 +10983,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9126,13 +11056,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9246,13 +11178,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9268,8 +11202,453 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list of
+ sub-elements by creating a context for each entry in the
+ list and looping over it to apply the specified logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data sources
+ that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains the
+ HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference is
+ a reference to a cached global context entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials provides
+ credentials that will be used for authentication
+ with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry allows
+ insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary JMESPath
+ context variable that can be defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary JSON
+ object representable in YAML or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry (using
+ JMESPath) for conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display
+ message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -9341,8 +11720,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -9358,8 +11741,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -9420,13 +11807,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9491,13 +11880,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9564,8 +11955,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -9626,13 +12021,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9697,13 +12094,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -9775,8 +12174,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -9801,8 +12211,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -9812,9 +12227,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -9828,8 +12243,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -9875,8 +12309,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -9950,8 +12386,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach iterator
@@ -10087,8 +12525,12 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if the
+ mutateExisting rule will be applied on policy events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -10115,8 +12557,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -10141,8 +12594,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -10152,9 +12610,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -10168,8 +12626,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -10215,8 +12692,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -10290,8 +12769,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -10309,8 +12790,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -10430,8 +12959,12 @@
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -10448,21 +12981,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -10474,15 +13004,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -10500,9 +13028,9 @@
description: "Expression represents the expression
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents of the
API request/response, organized into CEL variables
- as well as some other useful variables:\n\n\n-
+ as well as some other useful variables:\n\n-
'object' - The object from the incoming request.
The value is null for DELETE requests.\n- 'oldObject'
- The existing object. The value is null for
CREATE requests.\n- 'request' - Attributes of
@@ -10520,12 +13048,12 @@
checks for the principal (user or service account)
of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names are
escaped according to the following rules when
accessed in the expression:\n- '__' escapes
@@ -10543,9 +13071,9 @@
\ - Expression accessing a property named \"x-prop\":
{\"Expression\": \"object.x__dash__prop > 0\"}\n
\ - Expression accessing a property named \"redact__d\":
{\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list type
+ > 0\"}\n\nEquality on arrays with list type
of 'set' or 'map' ignores element order, i.e.
[1, 2] == [2, 1].\nConcatenation on arrays with
x-kubernetes-list-type use the semantics of
the list type:\n - 'set': `X + Y` performs
@@ -10617,29 +13145,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -10652,22 +13180,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -10696,13 +13222,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -10720,9 +13248,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is defined
+ as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -10737,8 +13266,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -10840,8 +13370,89 @@
type: object
type: array
type: object
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the policy
+ validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
list and looping over it to apply the specified logic.
@@ -10862,8 +13473,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -10888,8 +13510,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -10899,9 +13526,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -10915,8 +13542,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the
+ request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the header
+ value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -10962,8 +13608,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -11037,8 +13685,10 @@
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -11244,8 +13894,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -11294,13 +13950,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -11330,8 +13997,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used
+ for keyless signing, for example the
+ email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -11350,8 +14023,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -11407,18 +14086,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -11634,8 +14318,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -11684,13 +14374,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -11720,8 +14421,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -11740,8 +14447,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -11798,19 +14511,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -11925,8 +14642,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type', to
be removed soon
type: string
@@ -11994,8 +14714,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -12043,13 +14769,24 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate issuer
+ used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -12078,8 +14815,14 @@
description: Subject is the verified identity
used for keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the regular
+ expression to match identity used for
+ keyless signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one or more public
keys.
@@ -12098,8 +14841,14 @@
description: PubKey, if set, is used
to validate SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -12154,22 +14903,33 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values are
- sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm for
+ public keys. Supported values are sha224,
+ sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
imageReferences:
description: |-
ImageReferences is a list of matching image reference patterns. At least one pattern in the
list must match the image for the rule to apply. Each image reference consists of a registry
@@ -12241,23 +15001,47 @@
Type specifies the method of signature validation. The allowed options
are Cosign and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message to
+ be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have a
digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
schemaValidation:
@@ -12270,23 +15054,19 @@
Defaults to "false" if not specified.
type: boolean
validationFailureAction:
default: Audit
- description: |-
- ValidationFailureAction defines if a validation policy rule violation should block
- the admission review request (enforce), or allow (audit) the admission review request
- and report an error in a policy report. Optional.
- Allowed values are audit or enforce. The default value is "Audit".
+ description: Deprecated, use validationFailureAction under the validate
+ rule instead.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
- description: |-
- ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
- namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+ description: Deprecated, use validationFailureActionOverrides under
+ the validate rule instead.
items:
properties:
action:
description: ValidationFailureAction defines the policy validation
@@ -12328,13 +15108,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -12350,14 +15132,25 @@
type: array
type: object
type: array
webhookConfiguration:
- description: |-
- WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
- Requires Kubernetes 1.27 or later.
+ description: WebhookConfiguration specifies the custom configuration
+ for Kubernetes admission webhookconfiguration.
properties:
+ failurePolicy:
+ description: |-
+ FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+ Rules within the same policy share the same failure behavior.
+ This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
+ Allowed values are Ignore or Fail. Defaults to Fail.
+ enum:
+ - Ignore
+ - Fail
+ type: string
matchConditions:
- description: MatchCondition configures admission webhook matchConditions.
+ description: |-
+ MatchCondition configures admission webhook matchConditions.
+ Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
properties:
@@ -12365,9 +15158,8 @@
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -12375,9 +15167,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
descri```
</details> |
Changes Rendered Chartption: |-
@@ -12388,22 +15179,26 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
- name
type: object
type: array
+ timeoutSeconds:
+ description: |-
+ TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ format: int32
+ type: integer
type: object
webhookTimeoutSeconds:
- description: |-
- WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
- After the configured time expires, the admission request may fail, or may simply ignore the policy results,
- based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
+ instead.
format: int32
type: integer
type: object
status:
@@ -12426,16 +15221,15 @@
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
- must by fulfilled for a request to be sent to a webhook.
+ must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
@@ -12443,9 +15237,8 @@
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
Required.
type: string
name:
description: |-
@@ -12456,9 +15249,8 @@
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
Required.
type: string
required:
- expression
@@ -12471,8 +15263,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -12497,8 +15300,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -12508,9 +15316,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET
- or POST).
+ or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -12524,8 +15332,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional
+ HTTP headers to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -12569,8 +15393,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -12644,15 +15470,21 @@
description: Value is any arbitrary JSON object
representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -12668,8 +15500,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -12730,13 +15566,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -12802,13 +15640,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -12875,8 +15715,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -12937,13 +15781,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13009,13 +15855,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13078,8 +15926,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13140,13 +15992,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13211,13 +16065,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13332,13 +16188,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13354,8 +16212,461 @@
Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
x-kubernetes-preserve-unknown-fields: true
+ foreach:
+ description: ForEach applies generate rules to a list
+ of sub-elements by creating a context for each entry
+ in the list and looping over it to apply the specified
+ logic.
+ items:
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ clone:
+ description: |-
+ Clone specifies the source resource used to populate each generated resource.
+ At most one of Data or Clone can be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ properties:
+ name:
+ description: Name specifies name of the resource.
+ type: string
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ type: object
+ cloneList:
+ description: CloneList specifies the list of source
+ resource used to populate each generated resource.
+ properties:
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ namespace:
+ description: Namespace specifies source resource
+ namespace.
+ type: string
+ selector:
+ description: |-
+ Selector is a label selector. Label keys and values in `matchLabels`.
+ wildcard characters are not supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ context:
+ description: Context defines variables and data
+ sources that can be used during rule execution.
+ items:
+ description: |-
+ ContextEntry adds variables and data sources to a rule Context. Either a
+ ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
+ properties:
+ apiCall:
+ description: |-
+ APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+ The data returned is stored in the context with the name for the context entry.
+ properties:
+ data:
+ description: |-
+ The data object specifies the POST data sent to the server.
+ Only applicable when the method field is set to POST.
+ items:
+ description: RequestData contains
+ the HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier
+ for the data value
+ type: string
+ value:
+ description: Value is the data
+ value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request
+ type (GET or POST). Defaults to GET.
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: |-
+ Service is an API call to a JSON web service.
+ This is used for non-Kubernetes API server calls.
+ It's mutually exclusive with the URLPath field.
+ properties:
+ caBundle:
+ description: |-
+ CABundle is a PEM encoded CA bundle which will be used to validate
+ the server certificate.
+ type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ url:
+ description: |-
+ URL is the JSON web service URL. A typical form is
+ `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: |-
+ URLPath is the URL path to be used in the HTTP GET or POST request to the
+ Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl get --raw` command.
+ See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ It's mutually exclusive with the Service field.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap
+ reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap
+ namespace.
+ type: string
+ required:
+ - name
+ type: object
+ globalReference:
+ description: GlobalContextEntryReference
+ is a reference to a cached global context
+ entry.
+ properties:
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the JSON response returned from the server. For example
+ a JMESPath of "items | length(@)" applied to the API server response
+ for the URLPath "/apis/apps/v1/deployments" will return the total count
+ of deployments across all namespaces.
+ type: string
+ name:
+ description: Name of the global context
+ entry
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: |-
+ ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+ details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials
+ provides credentials that will be
+ used for authentication with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry
+ allows insecure access to a registry.
+ type: boolean
+ providers:
+ description: |-
+ Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential
+ providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: |-
+ Secrets specifies a list of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: |-
+ JMESPath is an optional JSON Match Expression that can be used to
+ transform the ImageData struct returned as a result of processing
+ the image reference.
+ type: string
+ reference:
+ description: |-
+ Reference is image reference to a container image in the registry.
+ Example: ghcr.io/kyverno/kyverno:latest
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary
+ JMESPath context variable that can be
+ defined inline.
+ properties:
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+ expression evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: |-
+ JMESPath is an optional JMESPath Expression that can be used to
+ transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary
+ JSON object representable in YAML
+ or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ data:
+ description: |-
+ Data provides the resource declaration used to populate each generated resource.
+ At most one of Data or Clone must be specified. If neither are provided, the generated
+ resource will be created with default data only.
+ x-kubernetes-preserve-unknown-fields: true
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ list:
+ description: |-
+ List specifies a JMESPath expression that results in one or more elements
+ to which the validation logic is applied.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ preconditions:
+ description: |-
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+ set of conditions. The declaration can contain nested `any` or `all` statements.
+ See: https://kyverno.io/docs/writing-policies/preconditions/
+ properties:
+ all:
+ description: |-
+ AllConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, all of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: |-
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+ finer control of when an rule is applied. A condition can reference object data
+ using JMESPath notation.
+ Here, at least one of the conditions need to pass
+ items:
+ description: Condition defines variable-based
+ conditional criteria for rule execution.
+ properties:
+ key:
+ description: Key is the context entry
+ (using JMESPath) for conditional rule
+ evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional
+ display message
+ type: string
+ operator:
+ description: |-
+ Operator is the conditional operation to perform. Valid operators are:
+ Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ DurationLessThanOrEquals, DurationLessThan
+ enum:
+ - Equals
+ - NotEquals
+ - In
+ - AnyIn
+ - AllIn
+ - NotIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: |-
+ Value is the conditional value, or set of values. The values can be fixed set
+ or can be variables declared using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ type: array
+ generateExisting:
+ description: |-
+ GenerateExisting controls whether to trigger the rule in existing resources
+ If is set to "true" the rule will be triggered and applied to existing matched resources.
+ type: boolean
kind:
description: Kind specifies resource kind.
type: string
name:
@@ -13427,8 +16738,12 @@
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will
be ANDed
@@ -13444,8 +16759,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13506,13 +16825,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13578,13 +16899,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13651,8 +16974,12 @@
type: array
resources:
description: ResourceDescription contains information
about the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13713,13 +17040,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13785,13 +17114,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13854,8 +17185,12 @@
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -13916,13 +17251,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -13987,13 +17324,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -14064,8 +17403,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -14091,8 +17441,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -14102,9 +17457,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -14118,8 +17473,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -14167,8 +17541,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -14244,8 +17620,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
foreach:
description: Foreach declares a nested foreach
@@ -14384,8 +17762,13 @@
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
+ mutateExistingOnPolicyUpdate:
+ description: MutateExistingOnPolicyUpdate controls if
+ the mutateExisting rule will be applied on policy
+ events.
+ type: boolean
patchStrategicMerge:
description: |-
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -14412,8 +17795,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -14439,8 +17833,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -14450,9 +17849,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -14466,8 +17865,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -14515,8 +17933,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -14592,8 +18012,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
kind:
description: Kind specifies resource kind.
@@ -14611,8 +18033,56 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ selector:
+ description: Selector allows you to select target
+ resources with their labels.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
type: object
@@ -14630,8 +18100,15 @@
of conditions (without `any` or `all` statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
+ reportProperties:
+ additionalProperties:
+ type: string
+ description: ReportProperties are the additional properties
+ from the rule that will be added to the policy report
+ result
+ type: object
skipBackgroundRequests:
default: true
description: |-
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
@@ -14640,13 +18117,23 @@
type: boolean
validate:
description: Validation is used to validate matching resources.
properties:
+ allowExistingViolations:
+ default: true
+ description: AllowExistingViolations allows prexisting
+ violating resources to continue violating a policy.
+ type: boolean
anyPattern:
description: |-
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
+ assert:
+ description: Assert defines a kyverno-json assertion
+ tree.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
properties:
@@ -14663,21 +18150,18 @@
key specifies the audit annotation key. The audit annotation keys of
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
-
The key is combined with the resource name of the
ValidatingAdmissionPolicy to construct an audit annotation key:
"{ValidatingAdmissionPolicy name}/{key}".
-
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
and the same audit annotation key, the annotation key will be identical.
In this case, the first annotation written with the key will be included
in the audit event and all subsequent annotations with the same key
will be discarded.
-
Required.
type: string
valueExpression:
description: |-
@@ -14689,15 +18173,13 @@
The valueExpression may be no longer than 5kb in length.
If the result of the valueExpression is more than 10kb in length, it
will be truncated to 10kb.
-
If multiple ValidatingAdmissionPolicyBinding resources match an
API request, then the valueExpression will be evaluated for
each binding. All unique values produced by the valueExpressions
will be joined together in a comma-separated list.
-
Required.
type: string
required:
- key
@@ -14716,14 +18198,14 @@
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
expressions have access to the contents
of the API request/response, organized into
CEL variables as well as some other useful
- variables:\n\n\n- 'object' - The object
- from the incoming request. The value is
- null for DELETE requests.\n- 'oldObject'
- - The existing object. The value is null
- for CREATE requests.\n- 'request' - Attributes
- of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ variables:\n\n- 'object' - The object from
+ the incoming request. The value is null
+ for DELETE requests.\n- 'oldObject' - The
+ existing object. The value is null for CREATE
+ requests.\n- 'request' - Attributes of the
+ API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
'params' - Parameter resource referred to
by the policy binding being evaluated. Only
populated if the policy has a ParamKind.\n-
'namespaceObject' - The namespace object
@@ -14738,12 +18220,12 @@
or service account) of the request.\n See
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
'authorizer.requestResource' - A CEL ResourceCheck
constructed from the 'authorizer' and configured
- with the\n request resource.\n\n\nThe `apiVersion`,
+ with the\n request resource.\n\nThe `apiVersion`,
`kind`, `metadata.name` and `metadata.generateName`
are always accessible from the root of the\nobject.
- No other metadata properties are accessible.\n\n\nOnly
+ No other metadata properties are accessible.\n\nOnly
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
are accessible.\nAccessible property names
are escaped according to the following rules
when accessed in the expression:\n- '__'
@@ -14762,10 +18244,10 @@
> 0\"}\n - Expression accessing a property
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
> 0\"}\n - Expression accessing a property
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
- > 0\"}\n\n\nEquality on arrays with list
- type of 'set' or 'map' ignores element order,
+ > 0\"}\n\nEquality on arrays with list type
+ of 'set' or 'map' ignores element order,
i.e. [1, 2] == [2, 1].\nConcatenation on
arrays with x-kubernetes-list-type use the
semantics of the list type:\n - 'set':
`X + Y` performs a union where the array
@@ -14837,29 +18319,29 @@
description: ParamRef references a parameter resource.
properties:
name:
description: |-
- `name` is the name of the resource being referenced.
+ name is the name of the resource being referenced.
+ One of `name` or `selector` must be set, but `name` and `selector` are
+ mutually exclusive properties. If one is set, the other must be unset.
- `name` and `selector` are mutually exclusive properties. If one is set,
- the other must be unset.
+ A single parameter used for all admission requests can be configured
+ by setting the `name` field, leaving `selector` blank, and setting namespace
+ if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both `name` and
`selector` fields.
-
A per-namespace parameter may be used by specifying a namespace-scoped
`paramKind` in the policy and leaving this field empty.
-
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
field results in a configuration error.
-
- If `paramKind` is namespace-scoped, the namespace of the object being
evaluated for admission will be used when this field is left unset. Take
care that if this is left empty the binding must not match any cluster-scoped
resources, which will result in an error.
@@ -14872,22 +18354,20 @@
matched parameters will be treated as successful validation by the binding.
If set to `Deny`, then no matched parameters will be subject to the
`failurePolicy` of the policy.
-
Allowed values are `Allow` or `Deny`
- Default to `Deny`
+
+ Required
type: string
selector:
description: |-
selector can be used to match multiple param objects based on their labels.
Supply selector: {} to match all resources of the ParamKind.
-
If multiple params are found, they are all evaluated with the policy expressions
and the results are ANDed together.
-
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
properties:
matchExpressions:
@@ -14916,13 +18396,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -14940,9 +18422,10 @@
Each variable is defined as a named CEL expression.
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
- that is used for composition.
+ that is used for composition. A variable is
+ defined as a named expression.
properties:
expression:
description: |-
Expression is the expression that will be evaluated as the value of the variable.
@@ -14957,8 +18440,9 @@
required:
- expression
- name
type: object
+ x-kubernetes-map-type: atomic
type: array
type: object
deny:
description: Deny defines conditions used to pass or
@@ -14971,8 +18455,89 @@
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
+ failureAction:
+ description: |-
+ FailureAction defines if a validation policy rule violation should block
+ the admission review request (Enforce), or allow (Audit) the admission review request
+ and report an error in a policy report. Optional.
+ Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
+ failureActionOverrides:
+ description: |-
+ FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
+ namespace-wise. It overrides FailureAction for the specified namespaces.
+ items:
+ properties:
+ action:
+ description: ValidationFailureAction defines the
+ policy validation failure action
+ enum:
+ - audit
+ - enforce
+ - Audit
+ - Enforce
+ type: string
+ namespaceSelector:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
in the list and looping over it to apply the specified
@@ -14994,8 +18559,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -15021,8 +18597,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -15032,9 +18613,9 @@
type: string
method:
default: GET
description: Method is the HTTP request
- type (GET or POST).
+ type (GET or POST). Defaults to GET.
enum:
- GET
- POST
type: string
@@ -15048,8 +18629,27 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of
+ optional HTTP headers to be included
+ in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header
+ key
+ type: string
+ value:
+ description: Value is the
+ header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -15097,8 +18697,10 @@
name:
description: Name of the global context
entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -15174,8 +18776,10 @@
JSON object representable in YAML
or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
deny:
description: Deny defines conditions used to pass
@@ -15385,8 +18989,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -15435,13 +19045,24 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the
+ regular expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -15471,8 +19092,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for
+ example the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -15491,8 +19118,14 @@
description: PubKey, if set,
is used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -15549,19 +19182,23 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and
- sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -15789,8 +19426,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -15841,13 +19484,25 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is
+ the regular expression to
+ match certificate issuer used
+ for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -15879,8 +19534,15 @@
verified identity used for
keyless signing, for example
the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is
+ the regular expression to
+ match identity used for keyless
+ signing, for example the email
+ address.
+ type: string
type: object
keys:
description: Keys specifies one
or more public keys.
@@ -15900,8 +19562,14 @@
set, is used to validate
SCTs against a custom
source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -15960,19 +19628,25 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature
- algorithm for public keys.
- Supported values are sha224,
- sha256, sha384 and sha512.
+ description: Deprecated. Use
+ attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values
+ are sha224, sha256, sha384 and
+ sha512.
+ type: string
type: object
type: array
type: object
type: array
@@ -16087,8 +19761,11 @@
type: object
type: array
type: object
type: array
+ name:
+ description: Name is the variable name.
+ type: string
predicateType:
description: Deprecated in favour of 'Type',
to be removed soon
type: string
@@ -16156,8 +19833,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@@ -16206,13 +19889,24 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
+ issuerRegExp:
+ description: IssuerRegExp is the regular
+ expression to match certificate
+ issuer used for keyless signing.
+ type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
@@ -16242,8 +19936,14 @@
description: Subject is the verified
identity used for keyless signing,
for example the email address.
type: string
+ subjectRegExp:
+ description: SubjectRegExp is the
+ regular expression to match identity
+ used for keyless signing, for example
+ the email address.
+ type: string
type: object
keys:
description: Keys specifies one or more
public keys.
@@ -16262,8 +19962,14 @@
description: PubKey, if set, is
used to validate SCTs against
a custom source.
type: string
+ tsaCertChain:
+ description: |-
+ TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+ contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+ may contain the leaf TSA certificate if not present in the timestamurce.
+ type: string
type: object
kms:
description: |-
KMS provides the URI to the public key stored in a Key Management System. See:
@@ -16320,22 +20026,38 @@
- namespace
type: object
signatureAlgorithm:
default: sha256
- description: Specify signature algorithm
- for public keys. Supported values
- are sha224, sha256, sha384 and sha512.
+ description: Deprecated. Use attestor.signatureAlgorithm
+ instead.
type: string
type: object
repository:
description: |-
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
+ signatureAlgorithm:
+ default: sha256
+ description: Specify signature algorithm
+ for public keys. Supported values are
+ sha224, sha256, sha384 and sha512.
+ type: string
type: object
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
+ failureAction:
+ description: Allowed values are Audit or Enforce.
+ enum:
+ - Audit
+ - Enforce
+ type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
imageReferences:
@@ -16420,42 +20142,58 @@
type: string
```
</details> |
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
Changes Rendered Chart type:
description: |-
Type specifies the method of signature validation. The allowed options
- are Cosign and Notary. By default Cosign is used if a type is not specified.
+ are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
enum:
- Cosign
+ - SigstoreBundle
- Notary
type: string
useCache:
default: true
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
+ validate:
+ description: |-
+ Validation checks conditions across multiple image
+ verification attestations or context entries
+ properties:
+ deny:
+ description: Deny defines conditions used to pass
+ or fail a validation rule.
+ properties:
+ conditions:
+ description: |-
+ Multiple conditions can be declared under an `any` or `all` statement. A direct list
+ of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+ but will be deprecated in the next major release.
+ See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ message:
+ description: Message specifies a custom message
+ to be displayed on failure.
+ type: string
+ type: object
verifyDigest:
default: true
description: VerifyDigest validates that images have
a digest.
type: boolean
type: object
type: array
required:
+ - match
- name
type: object
type: array
type: object
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -16494,14 +20232,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -16553,10 +20286,8 @@
required:
- generated
- message
type: object
- required:
- - ready
type: object
required:
- spec
type: object |
Changes Rendered Chartdiff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: policyexceptions.kyverno.io
spec:
group: kyverno.io
names:
@@ -176,8 +176,12 @@
type: array
match:
description: Match defines match clause used to check if a resource
applies to the exception
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -192,8 +196,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -253,13 +261,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -323,13 +333,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -395,8 +407,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -456,13 +472,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -526,13 +544,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -644,10 +664,11 @@
required:
- spec
type: object
served: true
- storage: false
- - name: v2alpha1
+ storage: true
+ - deprecated: true
+ name: v2beta1
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
policies.
@@ -796,8 +817,12 @@
type: array
match:
description: Match defines match clause used to check if a resource
applies to the exception
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -812,211 +837,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
+ not:
required:
- - kind
- name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- any:
- description: Any allows specifying resources which will be ORed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1076,13 +902,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1146,13 +974,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1203,224 +1033,10 @@
x-kubernetes-map-type: atomic
type: array
type: object
type: array
- type: object
- podSecurity:
- description: |-
- PodSecurity specifies the Pod Security Standard controls to be excluded.
- Applicable only to policies that have validate.podSecurity subrule.
- items:
- description: PodSecurityStandard specifies the Pod Security Standard
- controls to be excluded.
- properties:
- controlName:
- description: |-
- ControlName specifies the name of the Pod Security Standard control.
- See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
- enum:
- - HostProcess
- - Host Namespaces
- - Privileged Containers
- - Capabilities
- - HostPath Volumes
- - Host Ports
- - AppArmor
- - SELinux
- - /proc Mount Type
- - Seccomp
- - Sysctls
- - Volume Types
- - Privilege Escalation
- - Running as Non-root
- - Running as Non-root user
- type: string
- images:
- description: |-
- Images selects matching containers and applies the container level PSS.
- Each image is the image name consisting of the registry address, repository, image, and tag.
- Empty list matches no containers, PSS checks are applied at the pod level only.
- Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
- items:
- type: string
- type: array
- restrictedField:
- description: |-
- RestrictedField selects the field for the given Pod Security Standard control.
- When not set, all restricted fields for the control are selected.
- type: string
- values:
- description: Values defines the allowed values that can be excluded.
- items:
- type: string
- type: array
- required:
- - controlName
- type: object
- type: array
- required:
- - exceptions
- - match
- type: object
- required:
- - spec
- type: object
- served: false
- storage: false
- - name: v2beta1
- schema:
- openAPIV3Schema:
- description: PolicyException declares resources to be excluded from specified
- policies.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Spec declares policy exception behaviors.
- properties:
- background:
- description: |-
- Background controls if exceptions are applied to existing policies during a background scan.
- Optional. Default value is "true". The value must be set to "false" if the policy rule
- uses variables that are only available in the admission review request (e.g. user name).
- type: boolean
- conditions:
- description: |-
- Conditions are used to determine if a resource applies to the exception by evaluating a
- set of conditions. The declaration can contain nested `any` or `all` statements.
- properties:
- all:
- description: |-
- AllConditions enable variable-based conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition can reference object data
- using JMESPath notation.
- Here, all of the conditions need to pass.
- items:
- properties:
- key:
- description: Key is the context entry (using JMESPath) for
- conditional rule evaluation.
- x-kubernetes-preserve-unknown-fields: true
- message:
- description: Message is an optional display message
- type: string
- operator:
- description: |-
- Operator is the conditional operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan
- enum:
- - Equals
- - NotEquals
- - AnyIn
- - AllIn
- - AnyNotIn
- - AllNotIn
- - GreaterThanOrEquals
- - GreaterThan
- - LessThanOrEquals
- - LessThan
- - DurationGreaterThanOrEquals
- - DurationGreaterThan
- - DurationLessThanOrEquals
- - DurationLessThan
- type: string
- value:
- description: |-
- Value is the conditional value, or set of values. The values can be fixed set
- or can be variables declared using JMESPath.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: array
any:
- description: |-
- AnyConditions enable variable-based conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition can reference object data
- using JMESPath notation.
- Here, at least one of the conditions need to pass.
- items:
- properties:
- key:
- description: Key is the context entry (using JMESPath) for
- conditional rule evaluation.
- x-kubernetes-preserve-unknown-fields: true
- message:
- description: Message is an optional display message
- type: string
- operator:
- description: |-
- Operator is the conditional operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan
- enum:
- - Equals
- - NotEquals
- - AnyIn
- - AllIn
- - AnyNotIn
- - AllNotIn
- - GreaterThanOrEquals
- - GreaterThan
- - LessThanOrEquals
- - LessThan
- - DurationGreaterThanOrEquals
- - DurationGreaterThan
- - DurationLessThanOrEquals
- - DurationLessThan
- type: string
- value:
- description: |-
- Value is the conditional value, or set of values. The values can be fixed set
- or can be variables declared using JMESPath.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: array
- type: object
- exceptions:
- description: Exceptions is a list policy/rules to be excluded
- items:
- description: Exception stores infos about a policy and rules
- properties:
- policyName:
- description: |-
- PolicyName identifies the policy to which the exception is applied.
- The policy name uses the format <namespace>/<name> unless it
- references a ClusterPolicy.
- type: string
- ruleNames:
- description: RuleNames identifies the rules to which the exception
- is applied.
- items:
- type: string
- type: array
- required:
- - policyName
- - ruleNames
- type: object
- type: array
- match:
- description: Match defines match clause used to check if a resource
- applies to the exception
- properties:
- all:
- description: All allows specifying resources which will be ANDed
+ description: Any allows specifying resources which will be ORed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
@@ -1432,211 +1048,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
+ not:
required:
- - kind
- name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- any:
- description: Any allows specifying resources which will be ORed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1696,13 +1113,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1766,13 +1185,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1884,5 +1305,5 @@
required:
- spec
type: object
served: true
- storage: true
+ storage: false
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: updaterequests.kyverno.io
spec:
group: kyverno.io
names:
@@ -50,8 +50,9 @@
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ deprecated: true
name: v1beta1
schema:
openAPIV3Schema:
description: UpdateRequest is a request to process mutate and generate rules
@@ -144,16 +145,14 @@
description: |-
RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
-
For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
`apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
an API request to apps/v1beta1 deployments would be converted and sent to the webhook
with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
-
See documentation for the "matchPolicy" field in the webhook configuration type for more details.
properties:
group:
type: string
@@ -170,16 +169,14 @@
description: |-
RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
-
For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
`apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
an API request to apps/v1beta1 deployments would be converted and sent to the webhook
with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
-
See documentation for the "matchPolicy" field in the webhook configuration type.
properties:
group:
type: string
@@ -243,8 +240,9 @@
of.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
uid:
description: |-
A unique value that identifies this user across time. If this user is
deleted and another user by the same name is added, they will have
@@ -302,8 +300,9 @@
description: The names of groups this user is a part of.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
uid:
description: |-
A unique value that identifies this user across time. If this user is
deleted and another user by the same name is added, they will have
@@ -405,9 +404,9 @@
- state
type: object
type: object
served: true
- storage: true
+ storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.policy
@@ -457,9 +456,11 @@
spec:
description: ResourceSpec is the information to identify the trigger resource.
properties:
context:
- description: Context ...
+ description: |-
+ Context represents admission request context.
+ It is used upon admission review only and is shared across rules within the same UR.
properties:
admissionRequestInfo:
description: AdmissionRequestInfoObject stores the admission request
and operation details
@@ -524,16 +525,14 @@
description: |-
RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
-
For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
`apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
an API request to apps/v1beta1 deployments would be converted and sent to the webhook
with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
-
See documentation for the "matchPolicy" field in the webhook configuration type for more details.
properties:
group:
type: string
@@ -550,16 +549,14 @@
description: |-
RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
-
For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
`apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
an API request to apps/v1beta1 deployments would be converted and sent to the webhook
with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
-
See documentation for the "matchPolicy" field in the webhook configuration type.
properties:
group:
type: string
@@ -623,8 +620,9 @@
of.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
uid:
description: |-
A unique value that identifies this user across time. If this user is
deleted and another user by the same name is added, they will have
@@ -682,8 +680,9 @@
description: The names of groups this user is a part of.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
uid:
description: |-
A unique value that identifies this user across time. If this user is
deleted and another user by the same name is added, they will have
@@ -696,10 +695,11 @@
type: object
type: object
type: object
deleteDownstream:
- description: DeleteDownstream represents whether the downstream needs
- to be deleted.
+ description: |-
+ DeleteDownstream represents whether the downstream needs to be deleted.
+ Deprecated
type: boolean
policy:
description: Specifies the name of the policy.
type: string
@@ -731,12 +731,58 @@
type: object
rule:
description: Rule is the associate rule name of the current UR.
type: string
+ ruleContext:
+ description: |-
+ RuleContext is the associate context to apply rules.
+ optional
+ items:
+ properties:
+ deleteDownstream:
+ description: DeleteDownstream represents whether the downstream
+ needs to be deleted.
+ type: boolean
+ rule:
+ description: Rule is the associate rule name of the current
+ UR.
+ type: string
+ synchronize:
+ description: |-
+ Synchronize represents the sync behavior of the corresponding rule
+ Optional. Defaults to "false" if not specified.
+ type: boolean
+ trigger:
+ description: ResourceSpec is the information to identify the
+ trigger resource.
+ properties:
+ apiVersion:
+ description: APIVersion specifies resource apiVersion.
+ type: string
+ kind:
+ description: Kind specifies resource kind.
+ type: string
+ name:
+ description: Name specifies the resource name.
+ type: string
+ namespace:
+ description: Namespace specifies resource namespace.
+ type: string
+ uid:
+ description: UID specifies the resource uid.
+ type: string
+ type: object
+ required:
+ - deleteDownstream
+ - rule
+ - trigger
+ type: object
+ type: array
synchronize:
description: |-
Synchronize represents the sync behavior of the corresponding rule
Optional. Defaults to "false" if not specified.
+ Deprecated, will be removed in 1.14.
type: boolean
required:
- context
- deleteDownstream
@@ -782,7 +828,7 @@
- state
type: object
type: object
served: true
- storage: false
+ storage: true
subresources:
status: {}
diff -U 4 -r out/target/backstage/values-uibklab.yaml/sx-backstage/charts/backstage/templates/app-config-configmap.yaml out/pr/backstage/values-uibklab.yaml/sx-backstage/charts/backstage/templates/app-config-configmap.yaml
--- out/target/backstage/values-uibklab.yaml/sx-backstage/charts/backstage/templates/app-config-configmap.yaml 2024-11-22 16:44:44.796345530 +0000
+++ out/pr/backstage/values-uibklab.yaml/sx-backstage/charts/backstage/templates/app-config-configmap.yaml 2024-11-22 16:44:11.404509047 +0000
@@ -31,8 +31,10 @@
timeout: PT3M
signIn:
resolvers:
- resolver: usernameMatchingUserEntityName
+ - resolver: emailMatchingUserEntityProfileEmail
+ - resolver: emailLocalPartMatchingUserEntityName
oidc:
development:
additionalScopes: groups
callbackUrl: https://backstage.lab.suxessit.k8s.cloud.uibk.ac.at/api/auth/oidc/handler/frame
@@ -44,18 +46,20 @@
resolvers:
- resolver: emailLocalPartMatchingUserEntityName
- resolver: emailMatchingUserEntityProfileEmail
session:
- secret: supersecret
+ secret: ${BACKEND_SECRET}
backend:
auth:
externalAccess:
- options:
subject: admincurlaccess
token: ${EXTERNAL_ACCESS_TOKEN}
type: static
- keys:
- - secret: ${BACKEND_SECRET}
+ - options:
+ secret: ${BACKEND_SECRET}
+ subject: legacy-secret
+ type: legacy
baseUrl: https://backstage.lab.suxessit.k8s.cloud.uibk.ac.at
cache:
store: memory
cors:
@@ -292,19 +296,19 @@
- rbac
policies-csv-file: /opt/app-root/src/rbac/rbac-policy.csv
policyFileReload: true
proxy:
- /argocd/api:
- changeOrigin: true
- headers:
- Cookie:
- $env: ARGOCD_AUTH_TOKEN
- secure: false
- target: http://sx-argocd-server.argocd:80/api/v1/
- /grafana/api:
- headers:
- Authorization: Bearer ${GRAFANA_TOKEN}
- target: http://sx-grafana.grafana:80
+ endpoints:
+ /argocd/api:
+ changeOrigin: true
+ headers:
+ Cookie:
+ $env: ARGOCD_AUTH_TOKEN
+ target: http://sx-argocd-server.argocd:80/api/v1/
+ /grafana/api:
+ headers:
+ Authorization: Bearer ${GRAFANA_TOKEN}
+ target: http://sx-grafana.grafana:80
scaffolder: {}
scorecards:
jsonDataUrl: https://raw.githubusercontent.com/Oriflame/backstage-plugins/main/plugins/score-card/sample-data/
techdocs:
@@ -313,7 +317,9 @@
runIn: local
publisher:
type: local
vault:
+ auth:
+ secret: ${VAULT_TOKEN}
+ type: static
baseUrl: https://${VAULT_ADDR}
publicUrl: https://${VAULT_ADDR}
- token: ${VAULT_TOKEN}
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: clusterephemeralreports.reports.kyverno.io
spec:
group: reports.kyverno.io
names:
@@ -186,13 +186,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -205,26 +207,10 @@
resources:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: |-
- ObjectReference contains enough information to let you inspect or modify the referred object.
- ---
- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
- 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
- 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
- restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
- Those cannot be well described when embedded.
- 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
- 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
- during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
- and the version of the actual struct is irrelevant.
- 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
- will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
-
-
- Instead of using this type, create a locally provided and used type that is well-focused on your reference.
- For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
+ description: ObjectReference contains enough information to
+ let you inspect or modify the referred object.
properties:
apiVersion:
description: API version of the referent.
type: string
@@ -236,9 +222,8 @@
"spec.containers{name}" (where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined way of
referencing a part of an object.
- TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
description: |-
Kind of the referent.
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: ephemeralreports.reports.kyverno.io
spec:
group: reports.kyverno.io
names:
@@ -186,13 +186,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -205,26 +207,10 @@
resources:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
- description: |-
- ObjectReference contains enough information to let you inspect or modify the referred object.
- ---
- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
- 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
- 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
- restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
- Those cannot be well described when embedded.
- 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
- 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
- during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
- and the version of the actual struct is irrelevant.
- 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
- will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
-
-
- Instead of using this type, create a locally provided and used type that is well-focused on your reference.
- For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
+ description: ObjectReference contains enough information to
+ let you inspect or modify the referred object.
properties:
apiVersion:
description: API version of the referent.
type: string
@@ -236,9 +222,8 @@
"spec.containers{name}" (where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined way of
referencing a part of an object.
- TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
description: |-
Kind of the referent.
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: clusterpolicyreports.wgpolicyk8s.io
spec:
group: wgpolicyk8s.io
names:
@@ -126,13 +126,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -145,26 +147,10 @@
resources:
description: Subjects is an optional reference to the checked Kubernetes
resources
items:
- description: |-
- ObjectReference contains enough information to let you inspect or modify the referred object.
- ---
- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
- 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
- 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
- restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
- Those cannot be well described when embedded.
- 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
- 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
- during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
- and the version of the actual struct is irrelevant.
- 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
- will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
-
-
- Instead of using this type, create a locally provided and used type that is well-focused on your reference.
- For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
+ description: ObjectReference contains enough information to let
+ you inspect or modify the referred object.
properties:
apiVersion:
description: API version of the referent.
type: string
@@ -176,9 +162,8 @@
"spec.containers{name}" (where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined way of
referencing a part of an object.
- TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
description: |-
Kind of the referent.
@@ -277,9 +262,8 @@
"spec.containers{name}" (where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined way of
referencing a part of an object.
- TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
description: |-
Kind of the referent.
@@ -337,13 +321,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: policyreports.wgpolicyk8s.io
spec:
group: wgpolicyk8s.io
names:
@@ -125,13 +125,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -144,26 +146,10 @@
resources:
description: Subjects is an optional reference to the checked Kubernetes
resources
items:
- description: |-
- ObjectReference contains enough information to let you inspect or modify the referred object.
- ---
- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
- 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
- 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
- restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
- Those cannot be well described when embedded.
- 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
- 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
- during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
- and the version of the actual struct is irrelevant.
- 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
- will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
-
-
- Instead of using this type, create a locally provided and used type that is well-focused on your reference.
- For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
+ description: ObjectReference contains enough information to let
+ you inspect or modify the referred object.
properties:
apiVersion:
description: API version of the referent.
type: string
@@ -175,9 +161,8 @@
"spec.containers{name}" (where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined way of
referencing a part of an object.
- TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
description: |-
Kind of the referent.
@@ -276,9 +261,8 @@
"spec.containers{name}" (where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined way of
referencing a part of an object.
- TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
description: |-
Kind of the referent.
@@ -336,13 +320,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrole.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrole.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrole.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrole.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -8,13 +8,15 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-admission-controller: "true"
+ - matchLabels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/part-of: release-name-kyverno
---
@@ -27,10 +29,10 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
@@ -71,12 +73,8 @@
- updaterequests
- updaterequests/status
- globalcontextentries
- globalcontextentries/status
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- policyexceptions
verbs:
- create
- delete
@@ -150,12 +148,4 @@
- patch
- get
- list
- watch
- - apiGroups:
- - '*'
- resources:
- - '*'
- verbs:
- - get
- - list
- - watch
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -8,14 +8,35 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-kyverno:admission-controller
subjects:
- kind: ServiceAccount
name: kyverno-admission-controller
namespace: default
+---
+# Source: sx-kyverno/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: release-name-kyverno:admission-controller:view
+ labels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: release-name
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: release-name-kyverno
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: view
+subjects:
+ - kind: ServiceAccount
+ name: kyverno-admission-controller
+ namespace: default
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/deployment.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/deployment.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/deployment.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/deployment.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
replicas: 1
revisionHistoryLimit: 10
strategy:
@@ -31,10 +31,10 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
dnsPolicy: ClusterFirst
affinity:
podAntiAffinity:
@@ -50,9 +50,9 @@
weight: 1
serviceAccountName: kyverno-admission-controller
initContainers:
- name: kyverno-pre
- image: "ghcr.io/kyverno/kyvernopre:v1.12.6"
+ image: "ghcr.io/kyverno/kyvernopre:v1.13.1"
imagePullPolicy: IfNotPresent
args:
- --loggingFormat=text
- --v=2
@@ -65,8 +65,10 @@
memory: 64Mi
env:
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-admission-controller
+ - name: KYVERNO_ROLE_NAME
+ value: release-name-kyverno:admission-controller
- name: INIT_CONFIG
value: release-name-kyverno
- name: METRICS_CONFIG
value: release-name-kyverno-metrics
@@ -83,16 +85,18 @@
- name: KYVERNO_SVC
value: release-name-kyverno-svc
containers:
- name: kyverno
- image: "ghcr.io/kyverno/kyverno:v1.12.6"
+ image: "ghcr.io/kyverno/kyverno:v1.13.1"
imagePullPolicy: IfNotPresent
args:
- --caSecretName=release-name-kyverno-svc.default.svc.kyverno-tls-ca
- --tlsSecretName=release-name-kyverno-svc.default.svc.kyverno-tls-pair
- --backgroundServiceAccountName=system:serviceaccount:default:kyverno-background-controller
+ - --reportsServiceAccountName=system:serviceaccount:default:kyverno-reports-controller
- --servicePort=443
- --webhookServerPort=9443
+ - --resyncPeriod=15m
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
- --admissionReports=true
@@ -102,16 +106,18 @@
- --enableDeferredLoading=true
- --dumpPayload=false
- --forceFailurePolicyIgnore=false
- --generateValidatingAdmissionPolicy=false
+ - --dumpPatches=false
- --maxAPICallResponseLength=2000000
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyApplied,PolicySkipped
- - --enablePolicyException=true
+ - --enablePolicyException=false
- --protectManagedResources=false
- --allowInsecureRegistry=false
- --registryCredentialHelpers=default,google,amazon,azure,github
+ - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
resources:
limits:
memory: 1Gi
@@ -140,8 +146,10 @@
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-admission-controller
+ - name: KYVERNO_ROLE_NAME
+ value: release-name-kyverno:admission-controller
- name: KYVERNO_SVC
value: release-name-kyverno-svc
- name: TUF_ROOT
value: /.sigstore
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/role.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/role.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/role.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/role.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -9,19 +9,21 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rules:
- apiGroups:
- ''
resources:
- secrets
+ - serviceaccounts
verbs:
- get
- list
- watch
+ - patch
- create
- update
- delete
- apiGroups:
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/rolebinding.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/rolebinding.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/rolebinding.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/rolebinding.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: release-name-kyverno:admission-controller
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/service.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/service.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/service.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/service.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -9,16 +9,17 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
ports:
- port: 443
targetPort: https
protocol: TCP
name: https
+ appProtocol: https
selector:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/part-of: release-name-kyverno
@@ -34,10 +35,10 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
ports:
- port: 8000
targetPort: 8000
diff -U 4 -r out/target/backstage/values-uibklab.yaml/sx-backstage/charts/backstage/templates/backstage-deployment.yaml out/pr/backstage/values-uibklab.yaml/sx-backstage/charts/backstage/templates/backstage-deployment.yaml
--- out/target/backstage/values-uibklab.yaml/sx-backstage/charts/backstage/templates/backstage-deployment.yaml 2024-11-22 16:44:44.796345530 +0000
+++ out/pr/backstage/values-uibklab.yaml/sx-backstage/charts/backstage/templates/backstage-deployment.yaml 2024-11-22 16:44:11.404509047 +0000
@@ -6,9 +6,9 @@
name: release-name-backstage
namespace: "default"
labels:
app.kubernetes.io/name: backstage
- helm.sh/chart: backstage-2.0.0
+ helm.sh/chart: backstage-2.2.0
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: backstage
annotations:
@@ -23,14 +23,14 @@
template:
metadata:
labels:
app.kubernetes.io/name: backstage
- helm.sh/chart: backstage-2.0.0
+ helm.sh/chart: backstage-2.2.0
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: backstage
annotations:
- checksum/app-config: f780b53d95a1ed1b1bdc0ed67493a5c920331071aed0dceb1f5f20a84e621143
+ checksum/app-config: 895237e138d9c0a0ccc59a5b16429950e7b51c08c07d5e8657d641da0e8cd5de
spec:
serviceAccountName: default
volumes:
- configMap:
@@ -42,14 +42,12 @@
name: release-name-backstage-app-config
containers:
- name: backstage-backend
- image: ghcr.io/suxess-it/sx-backstage:latest
+ image: ghcr.io/suxess-it/sx-backstage:v1.32.5
imagePullPolicy: "Always"
command:
- node
- - --require
- - ./instrumentation.js
- packages/backend
args:
- "--config"
- "/app/app-config-from-configmap.yaml"
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/serviceaccount.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/serviceaccount.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/serviceaccount.yaml 2024-11-22 16:45:00.508259707 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/serviceaccount.yaml 2024-11-22 16:44:29.208434765 +0000
@@ -9,6 +9,6 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/servicemonitor.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/servicemonitor.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/servicemonitor.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/admission-controller/servicemonitor.yaml 2024-11-22 16:44:29.220434711 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
selector:
matchLabels:
app.kubernetes.io/component: admission-controller
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrole.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrole.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrole.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrole.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -8,13 +8,15 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-background-controller: "true"
+ - matchLabels:
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/part-of: release-name-kyverno
---
@@ -27,10 +29,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
@@ -40,9 +42,11 @@
- apiGroups:
- kyverno.io
resources:
- policies
+ - policies/status
- clusterpolicies
+ - clusterpolicies/status
- policyexceptions
- updaterequests
- updaterequests/status
- globalcontextentries
@@ -77,15 +81,21 @@
- patch
- update
- watch
- apiGroups:
- - '*'
+ - reports.kyverno.io
resources:
- - '*'
+ - ephemeralreports
+ - clusterephemeralreports
verbs:
- - get
- - list
- - watch
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - deletecollection
- apiGroups:
- networking.k8s.io
resources:
- ingresses
@@ -109,9 +119,8 @@
- apiGroups:
- ""
resources:
- configmaps
- - secrets
- resourcequotas
- limitranges
verbs:
- create
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrolebinding.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrolebinding.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrolebinding.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/clusterrolebinding.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -8,14 +8,35 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-kyverno:background-controller
subjects:
- kind: ServiceAccount
name: kyverno-background-controller
namespace: default
+---
+# Source: sx-kyverno/charts/kyverno/templates/background-controller/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: release-name-kyverno:background-controller:view
+ labels:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: release-name
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: release-name-kyverno
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: view
+subjects:
+- kind: ServiceAccount
+ name: kyverno-background-controller
+ namespace: default
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/deployment.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/deployment.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/deployment.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/deployment.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
replicas: 1
revisionHistoryLimit: 10
strategy:
@@ -31,10 +31,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
dnsPolicy: ClusterFirst
affinity:
podAntiAffinity:
@@ -50,9 +50,9 @@
weight: 1
serviceAccountName: kyverno-background-controller
containers:
- name: controller
- image: "ghcr.io/kyverno/background-controller:v1.12.6"
+ image: "ghcr.io/kyverno/background-controller:v1.13.1"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
@@ -64,15 +64,17 @@
args:
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
+ - --resyncPeriod=15m
- --enableConfigMapCaching=true
- --enableDeferredLoading=true
- --maxAPICallResponseLength=2000000
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyApplied,PolicySkipped
- - --enablePolicyException=true
+ - --enablePolicyException=false
+ - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
env:
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-background-controller
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/role.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/role.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/role.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/role.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
namespace: default
rules:
- apiGroups:
- ''
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/rolebinding.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/rolebinding.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/rolebinding.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/rolebinding.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/service.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/service.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/service.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/service.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
ports:
- port: 8000
targetPort: 8000
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/serviceaccount.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/serviceaccount.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/serviceaccount.yaml 2024-11-22 16:45:00.508259707 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/serviceaccount.yaml 2024-11-22 16:44:29.208434765 +0000
@@ -9,6 +9,6 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/servicemonitor.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/servicemonitor.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/servicemonitor.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/background-controller/servicemonitor.yaml 2024-11-22 16:44:29.220434711 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
selector:
matchLabels:
app.kubernetes.io/component: background-controller
Only in out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates: cleanup
diff -U 4 -r out/target/backstage/values-uibklab.yaml/sx-backstage/charts/backstage/templates/ingress.yaml out/pr/backstage/values-uibklab.yaml/sx-backstage/charts/backstage/templates/ingress.yaml
--- out/target/backstage/values-uibklab.yaml/sx-backstage/charts/backstage/templates/ingress.yaml 2024-11-22 16:44:44.796345530 +0000
+++ out/pr/backstage/values-uibklab.yaml/sx-backstage/charts/backstage/templates/ingress.yaml 2024-11-22 16:44:11.404509047 +0000
@@ -6,9 +6,9 @@
name: release-name-backstage
namespace: "default"
labels:
app.kubernetes.io/name: backstage
- helm.sh/chart: backstage-2.0.0
+ helm.sh/chart: backstage-2.2.0
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: backstage
annotations:
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrole.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrole.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrole.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrole.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -8,13 +8,15 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-cleanup-controller: "true"
+ - matchLabels:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/part-of: release-name-kyverno
---
@@ -27,10 +29,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrolebinding.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrolebinding.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrolebinding.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/clusterrolebinding.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-kyverno:cleanup-controller
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/deployment.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/deployment.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/deployment.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/deployment.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
replicas: 1
revisionHistoryLimit: 10
strategy:
@@ -31,10 +31,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
dnsPolicy: ClusterFirst
affinity:
podAntiAffinity:
@@ -50,9 +50,9 @@
weight: 1
serviceAccountName: kyverno-cleanup-controller
containers:
- name: controller
- image: "ghcr.io/kyverno/cleanup-controller:v1.12.6"
+ image: "ghcr.io/kyverno/cleanup-controller:v1.13.1"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
@@ -66,8 +66,9 @@
- --tlsSecretName=kyverno-cleanup-controller.default.svc.kyverno-tls-pair
- --servicePort=443
- --cleanupServerPort=9443
- --webhookServerPort=9443
+ - --resyncPeriod=15m
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
- --enableDeferredLoading=true
@@ -90,8 +91,10 @@
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-cleanup-controller
+ - name: KYVERNO_ROLE_NAME
+ value: release-name-kyverno:cleanup-controller
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/role.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/role.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/role.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/role.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
namespace: default
rules:
- apiGroups:
- ''
@@ -59,4 +59,12 @@
- patch
- update
resourceNames:
- kyverno-cleanup-controller
+ - apiGroups:
+ - apps
+ resources:
+ - deployments
+ verbs:
+ - get
+ - list
+ - watch
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/rolebinding.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/rolebinding.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/rolebinding.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/rolebinding.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/service.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/service.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/service.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/service.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -9,16 +9,17 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
ports:
- port: 443
targetPort: https
protocol: TCP
name: https
+ appProtocol: https
selector:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/part-of: release-name-kyverno
@@ -34,10 +35,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
ports:
- port: 8000
targetPort: 8000
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml 2024-11-22 16:45:00.508259707 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml 2024-11-22 16:44:29.208434765 +0000
@@ -9,6 +9,6 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml 2024-11-22 16:44:29.220434711 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
selector:
matchLabels:
app.kubernetes.io/component: cleanup-controller
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/config/configmap.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/config/configmap.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/config/configmap.yaml 2024-11-22 16:45:00.508259707 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/config/configmap.yaml 2024-11-22 16:44:29.208434765 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: config
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/resource-policy: "keep"
data:
enableDefaultRegistryMutation: "true"
@@ -35,16 +35,10 @@
[Binding,*,*]
[Pod/binding,*,*]
[ReplicaSet,*,*]
[ReplicaSet/*,*,*]
- [AdmissionReport,*,*]
- [AdmissionReport/*,*,*]
- [ClusterAdmissionReport,*,*]
- [ClusterAdmissionReport/*,*,*]
- [BackgroundScanReport,*,*]
- [BackgroundScanReport/*,*,*]
- [ClusterBackgroundScanReport,*,*]
- [ClusterBackgroundScanReport/*,*,*]
+ [EphemeralReport,*,*]
+ [ClusterEphemeralReport,*,*]
[ClusterRole,*,release-name-kyverno:admission-controller]
[ClusterRole,*,release-name-kyverno:admission-controller:core]
[ClusterRole,*,release-name-kyverno:admission-controller:additional]
[ClusterRole,*,release-name-kyverno:background-controller]
@@ -129,6 +123,7 @@
[ServiceMonitor,default,kyverno-cleanup-controller]
[ServiceMonitor,default,kyverno-reports-controller]
[Secret,default,release-name-kyverno-svc.default.svc.*]
[Secret,default,kyverno-cleanup-controller.default.svc.*]
- webhooks: "[{\"namespaceSelector\":{\"matchExpressions\":[{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kyverno\",\"kube-system\"]},{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"default\"]}],\"matchLabels\":null}}]"
+ updateRequestThreshold: "1000"
+ webhooks: "{\"namespaceSelector\":{\"matchExpressions\":[{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kyverno\",\"kube-system\"]},{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"default\"]}],\"matchLabels\":null}}"
webhookAnnotations: "{\"admissions.enforcer/disabled\":\"true\"}" |
Changes Default Valuesdiff -U 4 -r out-default-values/target/external-secrets_external-secrets_default-values.out out-default-values/pr/external-secrets_external-secrets_default-values.out
--- out-default-values/target/external-secrets_external-secrets_default-values.out 2024-11-22 17:09:52.913722214 +0000
+++ out-default-values/pr/external-secrets_external-secrets_default-values.out 2024-11-22 17:09:25.813550757 +0000
@@ -42,8 +42,9 @@
# -- If true, create CRDs for Push Secret.
createPushSecret: true
annotations: {}
conversion:
+ # -- If webhook is set to false this also needs to be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint.
enabled: true
imagePullSecrets: []
nameOverride: "" |
Changes Rendered Chartdiff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/config/metricsconfigmap.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/config/metricsconfigmap.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/config/metricsconfigmap.yaml 2024-11-22 16:45:00.508259707 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/config/metricsconfigmap.yaml 2024-11-22 16:44:29.208434765 +0000
@@ -9,9 +9,10 @@
app.kubernetes.io/component: config
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
data:
namespaces: "{\"exclude\":[],\"include\":[]}"
+ metricsExposure: "{\"kyverno_admission_requests_total\":{\"disabledLabelDimensions\":[\"resource_namespace\"]},\"kyverno_admission_review_duration_seconds\":{\"disabledLabelDimensions\":[\"resource_namespace\"]},\"kyverno_cleanup_controller_deletedobjects_total\":{\"disabledLabelDimensions\":[\"resource_namespace\",\"policy_namespace\"]},\"kyverno_policy_execution_duration_seconds\":{\"disabledLabelDimensions\":[\"resource_namespace\",\"resource_request_operation\"]},\"kyverno_policy_results_total\":{\"disabledLabelDimensions\":[\"resource_namespace\",\"policy_namespace\"]},\"kyverno_policy_rule_info_total\":{\"disabledLabelDimensions\":[\"resource_namespace\",\"policy_namespace\"]}}"
bucketBoundaries: "0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 15, 20, 25, 30"
Only in out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/hooks: post-delete-configmap.yaml
diff -U 4 -r out/target/backstage/values-uibklab.yaml/sx-backstage/charts/backstage/templates/service.yaml out/pr/backstage/values-uibklab.yaml/sx-backstage/charts/backstage/templates/service.yaml
--- out/target/backstage/values-uibklab.yaml/sx-backstage/charts/backstage/templates/service.yaml 2024-11-22 16:44:44.796345530 +0000
+++ out/pr/backstage/values-uibklab.yaml/sx-backstage/charts/backstage/templates/service.yaml 2024-11-22 16:44:11.404509047 +0000
@@ -6,9 +6,9 @@
name: release-name-backstage
namespace: "default"
labels:
app.kubernetes.io/name: backstage
- helm.sh/chart: backstage-2.0.0
+ helm.sh/chart: backstage-2.2.0
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: backstage
spec:
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml 2024-11-22 16:44:29.220434711 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
spec:
@@ -23,9 +23,9 @@
serviceAccount: kyverno-admission-controller
restartPolicy: Never
containers:
- name: kubectl
- image: "bitnami/kubectl:1.28.5"
+ image: "bitnami/kubectl:1.30.2"
imagePullPolicy:
command:
- /bin/bash
- -c
@@ -45,9 +45,9 @@
fi
done
COUNT=$(kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | wc -l)
-
+
if [ $COUNT -gt 0 ]; then
echo "deleting $COUNT clusterpolicyreports"
kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete clusterpolicyreports.wgpolicyk8s.io
else
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml 2024-11-22 16:44:29.220434711 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "100"
@@ -26,10 +26,10 @@
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "100"
@@ -64,10 +64,10 @@
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "100"
@@ -90,10 +90,10 @@
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "200"
@@ -105,23 +105,15 @@
serviceAccount: release-name-kyverno-migrate-resources
restartPolicy: Never
containers:
- name: kubectl
- image: "ghcr.io/kyverno/kyverno-cli:v1.12.6"
+ image: "ghcr.io/kyverno/kyverno-cli:v1.13.1"
imagePullPolicy: IfNotPresent
args:
- migrate
- --resource
- - admissionreports.kyverno.io
- - --resource
- - backgroundscanreports.kyverno.io
- - --resource
- cleanuppolicies.kyverno.io
- --resource
- - clusteradmissionreports.kyverno.io
- - --resource
- - clusterbackgroundscanreports.kyverno.io
- - --resource
- clustercleanuppolicies.kyverno.io
- --resource
- clusterpolicies.kyverno.io
- --resource
Only in out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/hooks: pre-delete-configmap.yaml
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml 2024-11-22 16:44:29.220434711 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: pre-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "100"
@@ -24,9 +24,9 @@
serviceAccount: kyverno-admission-controller
restartPolicy: Never
containers:
- name: kubectl
- image: "bitnami/kubectl:1.28.5"
+ image: "bitnami/kubectl:1.30.2"
imagePullPolicy:
command:
- /bin/bash
- '-c'
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/rbac/policies.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/rbac/policies.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/rbac/policies.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/rbac/policies.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- kyverno.io
@@ -38,10 +38,10 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- kyverno.io
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/rbac/policyreports.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/rbac/policyreports.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/rbac/policyreports.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/rbac/policyreports.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- wgpolicyk8s.io
@@ -36,10 +36,10 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- wgpolicyk8s.io
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/rbac/reports.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/rbac/reports.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/rbac/reports.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/rbac/reports.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -8,28 +8,13 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- - apiGroups:
- reports.kyverno.io
resources:
- ephemeralreports
- clusterephemeralreports
@@ -51,24 +36,13 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- reports.kyverno.io
resources:
- ephemeralreports
- clusterephemeralreports
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/rbac/updaterequests.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/rbac/updaterequests.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/rbac/updaterequests.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/rbac/updaterequests.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- kyverno.io
@@ -35,10 +35,10 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- kyverno.io
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrole.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrole.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrole.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrole.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -8,13 +8,15 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-reports-controller: "true"
+ - matchLabels:
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/part-of: release-name-kyverno
---
@@ -27,10 +29,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
@@ -39,9 +41,8 @@
- get
- apiGroups:
- ''
resources:
- - secrets
- configmaps
- namespaces
verbs:
- get
@@ -51,12 +52,8 @@
- kyverno.io
resources:
- globalcontextentries
- globalcontextentries/status
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- policyexceptions
- policies
- clusterpolicies
verbs:
@@ -105,12 +102,4 @@
- events
verbs:
- create
- patch
- - apiGroups:
- - '*'
- resources:
- - '*'
- verbs:
- - get
- - list
- - watch
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -8,14 +8,35 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-kyverno:reports-controller
subjects:
- kind: ServiceAccount
name: kyverno-reports-controller
namespace: default
+---
+# Source: sx-kyverno/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: release-name-kyverno:reports-controller:view
+ labels:
+ app.kubernetes.io/component: reports-controller
+ app.kubernetes.io/instance: release-name
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: release-name-kyverno
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: view
+subjects:
+- kind: ServiceAccount
+ name: kyverno-reports-controller
+ namespace: default
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/deployment.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/deployment.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/deployment.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/deployment.yaml 2024-11-22 16:44:29.220434711 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
replicas: 1
revisionHistoryLimit: 10
strategy:
@@ -31,10 +31,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
dnsPolicy: ClusterFirst
affinity:
podAntiAffinity:
@@ -50,9 +50,9 @@
weight: 1
serviceAccountName: kyverno-reports-controller
containers:
- name: controller
- image: "ghcr.io/kyverno/reports-controller:v1.12.6"
+ image: "ghcr.io/kyverno/reports-controller:v1.13.1"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
@@ -64,8 +64,9 @@
args:
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
+ - --resyncPeriod=15m
- --admissionReports=true
- --aggregateReports=true
- --policyReports=true
- --validatingAdmissionPolicyReports=false
@@ -78,12 +79,12 @@
- --maxAPICallResponseLength=2000000
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyApplied,PolicySkipped
- - --enablePolicyException=true
- - --reportsChunkSize=0
+ - --enablePolicyException=false
- --allowInsecureRegistry=false
- --registryCredentialHelpers=default,google,amazon,azure,github
+ - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
env:
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-reports-controller
diff -U 4 -r out/target/backstage/values-uibklab.yaml/sx-backstage/charts/backstage/templates/servicemonitor.yaml out/pr/backstage/values-uibklab.yaml/sx-backstage/charts/backstage/templates/servicemonitor.yaml
--- out/target/backstage/values-uibklab.yaml/sx-backstage/charts/backstage/templates/servicemonitor.yaml 2024-11-22 16:44:44.796345530 +0000
+++ out/pr/backstage/values-uibklab.yaml/sx-backstage/charts/backstage/templates/servicemonitor.yaml 2024-11-22 16:44:11.404509047 +0000
@@ -6,9 +6,9 @@
name: release-name-backstage
namespace: "default"
labels:
app.kubernetes.io/name: backstage
- helm.sh/chart: backstage-2.0.0
+ helm.sh/chart: backstage-2.2.0
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: backstage
spec:
@@ -17,9 +17,9 @@
- "default"
selector:
matchLabels:
app.kubernetes.io/name: backstage
- helm.sh/chart: backstage-2.0.0
+ helm.sh/chart: backstage-2.2.0
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: backstage
endpoints:
Only in out/pr/cert-manager: values-metalstack.yaml
Only in out/target/cert-manager/values.yaml/sx-cert-manager: templates
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/role.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/role.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/role.yaml 2024-11-22 16:45:00.516259672 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/role.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
namespace: default
rules:
- apiGroups:
- ''
@@ -24,8 +24,16 @@
resourceNames:
- release-name-kyverno
- release-name-kyverno-metrics
- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/rolebinding.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/rolebinding.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/rolebinding.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/rolebinding.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -8,10 +8,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/service.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/service.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/service.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/service.yaml 2024-11-22 16:44:29.216434729 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
ports:
- port: 8000
targetPort: 8000
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/serviceaccount.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/serviceaccount.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/serviceaccount.yaml 2024-11-22 16:45:00.508259707 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/serviceaccount.yaml 2024-11-22 16:44:29.208434765 +0000
@@ -9,6 +9,6 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/servicemonitor.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/servicemonitor.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/servicemonitor.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/reports-controller/servicemonitor.yaml 2024-11-22 16:44:29.220434711 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
spec:
selector:
matchLabels:
app.kubernetes.io/component: reports-controller
Only in out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests: admission-controller-liveness.yaml
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests/admission-controller-metrics.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests/admission-controller-metrics.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests/admission-controller-metrics.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests/admission-controller-metrics.yaml 2024-11-22 16:44:29.220434711 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: test
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: test
spec:
restartPolicy: Never
Only in out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests: admission-controller-readiness.yaml
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml 2024-11-22 16:44:29.220434711 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: test
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: test
spec:
restartPolicy: Never
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml 2024-11-22 16:44:29.220434711 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: test
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: test
spec:
restartPolicy: Never
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml 2024-11-22 16:44:29.220434711 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: test
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: test
spec:
restartPolicy: Never
diff -U 4 -r out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests/reports-controller-metrics.yaml out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests/reports-controller-metrics.yaml
--- out/target/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests/reports-controller-metrics.yaml 2024-11-22 16:45:00.520259654 +0000
+++ out/pr/kyverno/values-uibklab.yaml/sx-kyverno/charts/kyverno/templates/tests/reports-controller-metrics.yaml 2024-11-22 16:44:29.220434711 +0000
@@ -9,10 +9,10 @@
app.kubernetes.io/component: test
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-kyverno
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: kyverno-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: kyverno-3.3.3
annotations:
helm.sh/hook: test
spec:
restartPolicy: Never
Only in out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io: kyverno.io_admissionreports.yaml
Only in out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io: kyverno.io_backgroundscanreports.yaml
diff -U 4 -r out/target/falco/values-k3d.yaml/sx-falco/charts/falco/templates/configmap.yaml out/pr/falco/values-k3d.yaml/sx-falco/charts/falco/templates/configmap.yaml
--- out/target/falco/values-k3d.yaml/sx-falco/charts/falco/templates/configmap.yaml 2024-11-22 16:44:49.712319644 +0000
+++ out/pr/falco/values-k3d.yaml/sx-falco/charts/falco/templates/configmap.yaml 2024-11-22 16:44:18.176484390 +0000
@@ -5,9 +5,9 @@
metadata:
name: release-name-falco
namespace: default
labels:
- helm.sh/chart: falco-4.11.1
+ helm.sh/chart: falco-4.14.1
app.kubernetes.io/name: falco
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "0.39.1"
app.kubernetes.io/managed-by: Helm |
Changes Rendered Chartdiff -U 4 -r out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml
--- out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml 2024-11-22 16:45:00.112261453 +0000
+++ out/pr/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml 2024-11-22 16:44:28.796436641 +0000
@@ -7,12 +7,12 @@
app.kubernetes.io/component: crds
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: release-name-crds
- app.kubernetes.io/version: 3.2.7
- helm.sh/chart: crds-3.2.7
+ app.kubernetes.io/version: 3.3.3
+ helm.sh/chart: crds-3.3.3
annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: cleanuppolicies.kyverno.io
spec:
group: kyverno.io
names:
@@ -157,8 +157,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -182,8 +193,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -193,8 +209,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET or POST).
+ Defaults to GET.
enum:
- GET
- POST
type: string
@@ -208,8 +225,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP headers
+ to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -253,8 +286,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -326,15 +361,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -349,422 +390,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
- required:
- - kind
- - name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- any:
- description: Any allows specifying resources which will be ORed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
+ not:
required:
- - kind
- name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- type: object
- match:
- description: |-
- MatchResources defines when cleanuppolicy should be applied. The match
- criteria can include resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the user name or role.
- At least one kind is required.
- properties:
- all:
- description: All allows specifying resources which will be ANDed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -824,13 +455,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -894,13 +527,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -966,813 +601,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
- required:
- - kind
- - name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- type: object
- schedule:
- description: The schedule in Cron format
- type: string
- required:
- - schedule
- type: object
- status:
- description: Status contains policy runtime data.
- properties:
- conditions:
- items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- lastExecutionTime:
- format: date-time
- type: string
- type: object
- required:
- - spec
- type: object
- served: true
- storage: false
- subresources:
- status: {}
- - additionalPrinterColumns:
- - jsonPath: .spec.schedule
- name: Schedule
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v2alpha1
- schema:
- openAPIV3Schema:
- description: CleanupPolicy defines a rule for resource cleanup.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Spec declares policy behaviors.
- properties:
- conditions:
- description: Conditions defines the conditions used to select the
- resources which will be cleaned up.
- properties:
- all:
- description: |-
- AllConditions enable variable-based conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition can reference object data
- using JMESPath notation.
- Here, all of the conditions need to pass.
- items:
- properties:
- key:
- description: Key is the context entry (using JMESPath) for
- conditional rule evaluation.
- x-kubernetes-preserve-unknown-fields: true
- message:
- description: Message is an optional display message
- type: string
- operator:
- description: |-
- Operator is the conditional operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan
- enum:
- - Equals
- - NotEquals
- - AnyIn
- - AllIn
- - AnyNotIn
- - AllNotIn
- - GreaterThanOrEquals
- - GreaterThan
- - LessThanOrEquals
- - LessThan
- - DurationGreaterThanOrEquals
- - DurationGreaterThan
- - DurationLessThanOrEquals
- - DurationLessThan
- type: string
- value:
- description: |-
- Value is the conditional value, or set of values. The values can be fixed set
- or can be variables declared using JMESPath.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: array
- any:
- description: |-
- AnyConditions enable variable-based conditional rule execution. This is useful for
- finer control of when an rule is applied. A condition can reference object data
- using JMESPath notation.
- Here, at least one of the conditions need to pass.
- items:
- properties:
- key:
- description: Key is the context entry (using JMESPath) for
- conditional rule evaluation.
- x-kubernetes-preserve-unknown-fields: true
- message:
- description: Message is an optional display message
- type: string
- operator:
- description: |-
- Operator is the conditional operation to perform. Valid operators are:
- Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
- GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
- DurationLessThanOrEquals, DurationLessThan
- enum:
- - Equals
- - NotEquals
- - AnyIn
- - AllIn
- - AnyNotIn
- - AllNotIn
- - GreaterThanOrEquals
- - GreaterThan
- - LessThanOrEquals
- - LessThan
- - DurationGreaterThanOrEquals
- - DurationGreaterThan
- - DurationLessThanOrEquals
- - DurationLessThan
- type: string
- value:
- description: |-
- Value is the conditional value, or set of values. The values can be fixed set
- or can be variables declared using JMESPath.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: array
- type: object
- context:
- description: Context defines variables and data sources that can be
- used during rule execution.
- items:
- description: |-
- ContextEntry adds variables and data sources to a rule Context. Either a
- ConfigMap reference or a APILookup must be provided.
- properties:
- apiCall:
- description: |-
- APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
- The data returned is stored in the context with the name for the context entry.
- properties:
- data:
- description: |-
- The data object specifies the POST data sent to the server.
- Only applicable when the method field is set to POST.
- items:
- description: RequestData contains the HTTP POST data
- properties:
- key:
- description: Key is a unique identifier for the data
- value
- type: string
- value:
- description: Value is the data value
- x-kubernetes-preserve-unknown-fields: true
- required:
- - key
- - value
- type: object
- type: array
- jmesPath:
- description: |-
- JMESPath is an optional JSON Match Expression that can be used to
- transform the JSON response returned from the server. For example
- a JMESPath of "items | length(@)" applied to the API server response
- for the URLPath "/apis/apps/v1/deployments" will return the total count
- of deployments across all namespaces.
- type: string
- method:
- default: GET
- description: Method is the HTTP request type (GET or POST).
- enum:
- - GET
- - POST
- type: string
- service:
- description: |-
- Service is an API call to a JSON web service.
- This is used for non-Kubernetes API server calls.
- It's mutually exclusive with the URLPath field.
- properties:
- caBundle:
- description: |-
- CABundle is a PEM encoded CA bundle which will be used to validate
- the server certificate.
- type: string
- url:
- description: |-
- URL is the JSON web service URL. A typical form is
- `https://{service}.{namespace}:{port}/{path}`.
- type: string
- required:
- - url
- type: object
- urlPath:
- description: |-
- URLPath is the URL path to be used in the HTTP GET or POST request to the
- Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
- The format required is the same format used by the `kubectl get --raw` command.
- See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
- for details.
- It's mutually exclusive with the Service field.
- type: string
- type: object
- configMap:
- description: ConfigMap is the ConfigMap reference.
- properties:
- name:
- description: Name is the ConfigMap name.
- type: string
- namespace:
- description: Namespace is the ConfigMap namespace.
- type: string
- required:
- - name
- type: object
- globalReference:
- description: GlobalContextEntryReference is a reference to a
- cached global context entry.
- properties:
- jmesPath:
- description: |-
- JMESPath is an optional JSON Match Expression that can be used to
- transform the JSON response returned from the server. For example
- a JMESPath of "items | length(@)" applied to the API server response
- for the URLPath "/apis/apps/v1/deployments" will return the total count
- of deployments across all namespaces.
- type: string
- name:
- description: Name of the global context entry
- type: string
- type: object
- imageRegistry:
- description: |-
- ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
- details.
- properties:
- imageRegistryCredentials:
- description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
- properties:
- allowInsecureRegistry:
- description: AllowInsecureRegistry allows insecure access
- to a registry.
- type: boolean
- providers:
- description: |-
- Providers specifies a list of OCI Registry names, whose authentication providers are provided.
- It can be of one of these values: default,google,azure,amazon,github.
- items:
- description: ImageRegistryCredentialsProvidersType
- provides the list of credential providers required.
- enum:
- - default
- - amazon
- - azure
- - google
- - github
- type: string
- type: array
- secrets:
- description: |-
- Secrets specifies a list of secrets that are provided for credentials.
- Secrets must live in the Kyverno namespace.
- items:
- type: string
- type: array
- type: object
- jmesPath:
- description: |-
- JMESPath is an optional JSON Match Expression that can be used to
- transform the ImageData struct returned as a result of processing
- the image reference.
- type: string
- reference:
- description: |-
- Reference is image reference to a container image in the registry.
- Example: ghcr.io/kyverno/kyverno:latest
- type: string
- required:
- - reference
- type: object
- name:
- description: Name is the variable name.
- type: string
- variable:
- description: Variable defines an arbitrary JMESPath context
- variable that can be defined inline.
- properties:
- default:
- description: |-
- Default is an optional arbitrary JSON object that the variable may take if the JMESPath
- expression evaluates to nil
- x-kubernetes-preserve-unknown-fields: true
- jmesPath:
- description: |-
- JMESPath is an optional JMESPath Expression that can be used to
- transform the variable.
- type: string
- value:
- description: Value is any arbitrary JSON object representable
- in YAML or JSON form.
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: array
- exclude:
- description: |-
- ExcludeResources defines when cleanuppolicy should not be applied. The exclude
- criteria can include resource information (e.g. kind, name, namespace, labels)
- and admission review request information like the name or role.
- properties:
- all:
- description: All allows specifying resources which will be ANDed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: |-
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys
- and values support the wildcard characters "*" (matches zero or many characters) and
- "?" (matches at least one character).
- type: object
- kinds:
- description: Kinds is a list of resource kinds.
- items:
- type: string
- type: array
- name:
- description: |-
- Name is the name of the resource. The name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- NOTE: "Name" is being deprecated in favor of "Names".
- type: string
- names:
- description: |-
- Names are the names of the resources. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- namespaceSelector:
- description: |-
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
- in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
- and `?` (matches one character).Wildcards allows writing label selectors like
- ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
- does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: |-
- Namespaces is a list of namespaces names. Each name supports wildcard characters
- "*" (matches zero or many characters) and "?" (at least one character).
- items:
- type: string
- type: array
- operations:
- description: Operations can contain values ["CREATE,
- "UPDATE", "CONNECT", "DELETE"], which are used to
- match a specific action.
- items:
- description: AdmissionOperation can have one of the
- values CREATE, UPDATE, CONNECT, DELETE, which are
- used to match a specific action.
- enum:
- - CREATE
- - CONNECT
- - UPDATE
- - DELETE
- type: string
- type: array
- selector:
- description: |-
- Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
- characters `*` (matches zero or many characters) and `?` (matches one character).
- Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
- using ["*" : "*"] matches any key and value but does not match an empty label set.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- roles:
- description: Roles is the list of namespaced role names
- for the user.
- items:
- type: string
- type: array
- subjects:
- description: Subjects is the list of subject names like
- users, user groups, and service accounts.
- items:
- description: |-
- Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
- or a value for non-objects such as user and group names.
- properties:
- apiGroup:
- description: |-
- APIGroup holds the API group of the referenced subject.
- Defaults to "" for ServiceAccount subjects.
- Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
- type: string
- kind:
- description: |-
- Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
- If the Authorizer does not recognized the kind value, the Authorizer should report an error.
- type: string
- name:
- description: Name of the object being referenced.
- type: string
- namespace:
- description: |-
- Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
- the Authorizer should report an error.
- type: string
+ not:
required:
- - kind
- name
- type: object
- x-kubernetes-map-type: atomic
- type: array
- type: object
- type: array
- any:
- description: Any allows specifying resources which will be ORed
- items:
- description: ResourceFilter allow users to "AND" or "OR" between
- resources
- properties:
- clusterRoles:
- description: ClusterRoles is the list of cluster-wide role
- names for the user.
- items:
- type: string
- type: array
- resources:
- description: ResourceDescription contains information about
- the resource being created or modified.
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -1832,13 +666,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1902,13 +738,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -1966,8 +804,12 @@
MatchResources defines when cleanuppolicy should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -1982,8 +824,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -2043,13 +889,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2113,13 +961,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2185,8 +1035,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -2246,13 +1100,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2316,13 +1172,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2378,25 +1236,18 @@
schedule:
description: The schedule in Cron format
type: string
required:
+ - match
- schedule
type: object
status:
description: Status contains policy runtime data.
properties:
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -2435,14 +1286,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -2459,10 +1305,10 @@
type: object
required:
- spec
type: object
- served: false
- storage: false
+ served: true
+ storage: true
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.schedule
@@ -2470,8 +1316,9 @@
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ deprecated: true
name: v2beta1
schema:
openAPIV3Schema:
description: CleanupPolicy defines a rule for resource cleanup.
@@ -2595,8 +1442,19 @@
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
+ oneOf:
+ - required:
+ - configMap
+ - required:
+ - apiCall
+ - required:
+ - imageRegistry
+ - required:
+ - variable
+ - required:
+ - globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
@@ -2620,8 +1478,13 @@
- key
- value
type: object
type: array
+ default:
+ description: |-
+ Default is an optional arbitrary JSON object that the context
+ value is set to, if the apiCall returns error.
+ x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
@@ -2631,8 +1494,9 @@
type: string
method:
default: GET
description: Method is the HTTP request type (GET or POST).
+ Defaults to GET.
enum:
- GET
- POST
type: string
@@ -2646,8 +1510,24 @@
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
+ headers:
+ description: Headers is a list of optional HTTP headers
+ to be included in the request.
+ items:
+ properties:
+ key:
+ description: Key is the header key
+ type: string
+ value:
+ description: Value is the header value
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
@@ -2691,8 +1571,10 @@
type: string
name:
description: Name of the global context entry
type: string
+ required:
+ - name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -2764,15 +1646,21 @@
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
+ required:
+ - name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -2787,8 +1675,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -2848,13 +1740,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2918,13 +1812,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -2990,8 +1886,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -3051,13 +1951,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3121,13 +2023,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3185,8 +2089,12 @@
MatchResources defines when cleanuppolicy should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
+ not:
+ required:
+ - any
+ - all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
@@ -3201,8 +2109,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -3262,13 +2174,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3332,13 +2246,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3404,8 +2320,12 @@
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
+ not:
+ required:
+ - name
+ - names
properties:
annotations:
additionalProperties:
type: string
@@ -3465,13 +2385,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3535,13 +2457,15 @@
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
@@ -3597,25 +2521,18 @@
schedule:
description: The schedule in Cron format
type: string
required:
+ - match
- schedule
type: object
status:
description: Status contains policy runtime data.
properties:
conditions:
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
@@ -3654,14 +2571,9 @@
- "False"
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
@@ -3679,7 +2591,7 @@
required:
- spec
type: object
served: true
- storage: true
+ storage: false
subresources:
status: {}
Only in out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io: kyverno.io_clusteradmissionreports.yaml
Only in out/target/kyverno/values.yaml/sx-kyverno/charts/kyverno/charts/crds/templates/kyverno.io: kyverno.io_clusterbackgroundscanreports.yaml |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.10.5->0.10.6Release Notes
external-secrets/external-secrets (external-secrets)
v0.10.6Compare Source
Image:
ghcr.io/external-secrets/external-secrets:v0.10.6Image:
ghcr.io/external-secrets/external-secrets:v0.10.6-ubiImage:
ghcr.io/external-secrets/external-secrets:v0.10.6-ubi-boringsslWhat's Changed
69830f2tocc226caby @dependabot in https://github.com/external-secrets/external-secrets/pull/4043cc226catof4a57e8by @dependabot in https://github.com/external-secrets/external-secrets/pull/41120974259toc694a4dby @dependabot in https://github.com/external-secrets/external-secrets/pull/4113beefdbdto1e42bbeby @dependabot in https://github.com/external-secrets/external-secrets/pull/4114beefdbdto1e42bbein /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4118beefdbdto1e42bbein /e2e by @dependabot in https://github.com/external-secrets/external-secrets/pull/41190e3377dto3f3b9dain /e2e by @dependabot in https://github.com/external-secrets/external-secrets/pull/4120New Contributors
Full Changelog: external-secrets/external-secrets@v0.10.5...v0.10.6
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.