v2beta1

package
v1.12.1-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 1, 2024 License: Apache-2.0 Imports: 18 Imported by: 3

Documentation

Overview

Copyright 2022 The Kubernetes authors.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index

Constants

View Source 
const GroupName = "kyverno.io"

GroupName specifies the group name used to register the objects.

Variables

View Source 
var (
	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
	SchemeBuilder runtime.SchemeBuilder

	// Depreciated: use Install instead
	AddToScheme = localSchemeBuilder.AddToScheme
	Install     = localSchemeBuilder.AddToScheme
)
View Source 
var ConditionOperators = map[string]ConditionOperator{
	"Equals":                      ConditionOperator("Equals"),
	"NotEquals":                   ConditionOperator("NotEquals"),
	"AnyIn":                       ConditionOperator("AnyIn"),
	"AllIn":                       ConditionOperator("AllIn"),
	"AnyNotIn":                    ConditionOperator("AnyNotIn"),
	"AllNotIn":                    ConditionOperator("AllNotIn"),
	"GreaterThanOrEquals":         ConditionOperator("GreaterThanOrEquals"),
	"GreaterThan":                 ConditionOperator("GreaterThan"),
	"LessThanOrEquals":            ConditionOperator("LessThanOrEquals"),
	"LessThan":                    ConditionOperator("LessThan"),
	"DurationGreaterThanOrEquals": ConditionOperator("DurationGreaterThanOrEquals"),
	"DurationGreaterThan":         ConditionOperator("DurationGreaterThan"),
	"DurationLessThanOrEquals":    ConditionOperator("DurationLessThanOrEquals"),
	"DurationLessThan":            ConditionOperator("DurationLessThan"),
}

ConditionOperators stores all the valid ConditionOperator types as key-value pairs. "Equals" evaluates if the key is equal to the value. "NotEquals" evaluates if the key is not equal to the value. "AnyIn" evaluates if any of the keys are contained in the set of values. "AllIn" evaluates if all the keys are contained in the set of values. "AnyNotIn" evaluates if any of the keys are not contained in the set of values. "AllNotIn" evaluates if all the keys are not contained in the set of values. "GreaterThanOrEquals" evaluates if the key (numeric) is greater than or equal to the value (numeric). "GreaterThan" evaluates if the key (numeric) is greater than the value (numeric). "LessThanOrEquals" evaluates if the key (numeric) is less than or equal to the value (numeric). "LessThan" evaluates if the key (numeric) is less than the value (numeric). "DurationGreaterThanOrEquals" evaluates if the key (duration) is greater than or equal to the value (duration) "DurationGreaterThan" evaluates if the key (duration) is greater than the value (duration) "DurationLessThanOrEquals" evaluates if the key (duration) is less than or equal to the value (duration) "DurationLessThan" evaluates if the key (duration) is greater than the value (duration)

View Source 
var GroupVersion = v1.GroupVersion{Group: GroupName, Version: "v2beta1"}

GroupVersion specifies the group and the version used to register the objects.

View Source 
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v2beta1"}

SchemeGroupVersion is group version used to register these objects Deprecated: use GroupVersion instead.

Functions

func RegisterDefaults added in v1.10.5 

func RegisterDefaults(scheme *runtime.Scheme) error

RegisterDefaults adds defaulters functions to the given scheme. Public to allow building arbitrary schemes. All generated defaulters are covering - they call all nested defaulters.

func Resource 

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

func ValidateContext added in v1.10.5 

func ValidateContext(path *field.Path, context []kyvernov1.ContextEntry) (errs field.ErrorList)

func ValidateSchedule added in v1.10.5 

func ValidateSchedule(path *field.Path, schedule string) (errs field.ErrorList)

ValidateSchedule validates whether the schedule specified is in proper cron format or not.

Types

type AnyAllConditions 

type AnyAllConditions struct {
	// AnyConditions enable variable-based conditional rule execution. This is useful for
	// finer control of when an rule is applied. A condition can reference object data
	// using JMESPath notation.
	// Here, at least one of the conditions need to pass.
	// +optional
	AnyConditions []Condition `json:"any,omitempty" yaml:"any,omitempty"`

	// AllConditions enable variable-based conditional rule execution. This is useful for
	// finer control of when an rule is applied. A condition can reference object data
	// using JMESPath notation.
	// Here, all of the conditions need to pass.
	// +optional
	AllConditions []Condition `json:"all,omitempty" yaml:"all,omitempty"`
}

func (*AnyAllConditions) DeepCopy 

func (in *AnyAllConditions) DeepCopy() *AnyAllConditions

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AnyAllConditions.

func (*AnyAllConditions) DeepCopyInto 

func (in *AnyAllConditions) DeepCopyInto(out *AnyAllConditions)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CleanupPolicy added in v1.10.5 

type CleanupPolicy struct {
	metav1.TypeMeta   `json:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec declares policy behaviors.
	Spec CleanupPolicySpec `json:"spec"`

	// Status contains policy runtime data.
	// +optional
	Status CleanupPolicyStatus `json:"status,omitempty"`
}

CleanupPolicy defines a rule for resource cleanup.

func (*CleanupPolicy) DeepCopy added in v1.10.5 

func (in *CleanupPolicy) DeepCopy() *CleanupPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicy.

func (*CleanupPolicy) DeepCopyInto added in v1.10.5 

func (in *CleanupPolicy) DeepCopyInto(out *CleanupPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CleanupPolicy) DeepCopyObject added in v1.10.5 

func (in *CleanupPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*CleanupPolicy) GetAPIVersion added in v1.10.5 

func (p *CleanupPolicy) GetAPIVersion() string

GetAPIVersion returns the resource kind

func (*CleanupPolicy) GetExecutionTime added in v1.10.5 

func (p *CleanupPolicy) GetExecutionTime() (*time.Time, error)

GetExecutionTime returns the execution time of the policy

func (*CleanupPolicy) GetKind added in v1.10.5 

func (p *CleanupPolicy) GetKind() string

GetKind returns the resource kind

func (*CleanupPolicy) GetNextExecutionTime added in v1.10.5 

func (p *CleanupPolicy) GetNextExecutionTime(time time.Time) (*time.Time, error)

GetNextExecutionTime returns the next execution time of the policy

func (*CleanupPolicy) GetSpec added in v1.10.5 

func (p *CleanupPolicy) GetSpec() *CleanupPolicySpec

GetSpec returns the policy spec

func (*CleanupPolicy) GetStatus added in v1.10.5 

func (p *CleanupPolicy) GetStatus() *CleanupPolicyStatus

GetStatus returns the policy status

func (*CleanupPolicy) IsNamespaced added in v1.10.5 

func (p *CleanupPolicy) IsNamespaced() bool

IsNamespaced indicates if the policy is namespace scoped

func (*CleanupPolicy) Validate added in v1.10.5 

func (p *CleanupPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList)

Validate implements programmatic validation

type CleanupPolicyList added in v1.10.5 

type CleanupPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`
	Items           []CleanupPolicy `json:"items"`
}

CleanupPolicyList is a list of ClusterPolicy instances.

func (*CleanupPolicyList) DeepCopy added in v1.10.5 

func (in *CleanupPolicyList) DeepCopy() *CleanupPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicyList.

func (*CleanupPolicyList) DeepCopyInto added in v1.10.5 

func (in *CleanupPolicyList) DeepCopyInto(out *CleanupPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CleanupPolicyList) DeepCopyObject added in v1.10.5 

func (in *CleanupPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CleanupPolicySpec added in v1.10.5 

type CleanupPolicySpec struct {
	// Context defines variables and data sources that can be used during rule execution.
	// +optional
	Context []kyvernov1.ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`

	// MatchResources defines when cleanuppolicy should be applied. The match
	// criteria can include resource information (e.g. kind, name, namespace, labels)
	// and admission review request information like the user name or role.
	// At least one kind is required.
	MatchResources MatchResources `json:"match,omitempty"`

	// ExcludeResources defines when cleanuppolicy should not be applied. The exclude
	// criteria can include resource information (e.g. kind, name, namespace, labels)
	// and admission review request information like the name or role.
	// +optional
	ExcludeResources *MatchResources `json:"exclude,omitempty"`

	// The schedule in Cron format
	Schedule string `json:"schedule"`

	// Conditions defines the conditions used to select the resources which will be cleaned up.
	// +optional
	Conditions *AnyAllConditions `json:"conditions,omitempty"`
}

CleanupPolicySpec stores specifications for selecting resources that the user needs to delete and schedule when the matching resources needs deleted.

func (*CleanupPolicySpec) DeepCopy added in v1.10.5 

func (in *CleanupPolicySpec) DeepCopy() *CleanupPolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicySpec.

func (*CleanupPolicySpec) DeepCopyInto added in v1.10.5 

func (in *CleanupPolicySpec) DeepCopyInto(out *CleanupPolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CleanupPolicySpec) Validate added in v1.10.5 

func (p *CleanupPolicySpec) Validate(path *field.Path, clusterResources sets.Set[string], namespaced bool) (errs field.ErrorList)

Validate implements programmatic validation

func (*CleanupPolicySpec) ValidateMatchExcludeConflict added in v1.10.5 

func (spec *CleanupPolicySpec) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorList)

ValidateMatchExcludeConflict checks if the resultant of match and exclude block is not an empty set

type CleanupPolicyStatus added in v1.10.5 

type CleanupPolicyStatus struct {
	Conditions        []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
	LastExecutionTime metav1.Time        `json:"lastExecutionTime,omitempty"`
}

CleanupPolicyStatus stores the status of the policy.

func (*CleanupPolicyStatus) DeepCopy added in v1.10.5 

func (in *CleanupPolicyStatus) DeepCopy() *CleanupPolicyStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicyStatus.

func (*CleanupPolicyStatus) DeepCopyInto added in v1.10.5 

func (in *CleanupPolicyStatus) DeepCopyInto(out *CleanupPolicyStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ClusterCleanupPolicy added in v1.10.5 

type ClusterCleanupPolicy struct {
	metav1.TypeMeta   `json:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec declares policy behaviors.
	Spec CleanupPolicySpec `json:"spec"`

	// Status contains policy runtime data.
	// +optional
	Status CleanupPolicyStatus `json:"status,omitempty"`
}

ClusterCleanupPolicy defines rule for resource cleanup.

func (*ClusterCleanupPolicy) DeepCopy added in v1.10.5 

func (in *ClusterCleanupPolicy) DeepCopy() *ClusterCleanupPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCleanupPolicy.

func (*ClusterCleanupPolicy) DeepCopyInto added in v1.10.5 

func (in *ClusterCleanupPolicy) DeepCopyInto(out *ClusterCleanupPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterCleanupPolicy) DeepCopyObject added in v1.10.5 

func (in *ClusterCleanupPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ClusterCleanupPolicy) GetAPIVersion added in v1.10.5 

func (p *ClusterCleanupPolicy) GetAPIVersion() string

GetAPIVersion returns the resource kind

func (*ClusterCleanupPolicy) GetExecutionTime added in v1.10.5 

func (p *ClusterCleanupPolicy) GetExecutionTime() (*time.Time, error)

GetExecutionTime returns the execution time of the policy

func (*ClusterCleanupPolicy) GetKind added in v1.10.5 

func (p *ClusterCleanupPolicy) GetKind() string

GetKind returns the resource kind

func (*ClusterCleanupPolicy) GetNextExecutionTime added in v1.10.5 

func (p *ClusterCleanupPolicy) GetNextExecutionTime(time time.Time) (*time.Time, error)

GetNextExecutionTime returns the next execution time of the policy

func (*ClusterCleanupPolicy) GetSpec added in v1.10.5 

func (p *ClusterCleanupPolicy) GetSpec() *CleanupPolicySpec

GetSpec returns the policy spec

func (*ClusterCleanupPolicy) GetStatus added in v1.10.5 

func (p *ClusterCleanupPolicy) GetStatus() *CleanupPolicyStatus

GetStatus returns the policy status

func (*ClusterCleanupPolicy) IsNamespaced added in v1.10.5 

func (p *ClusterCleanupPolicy) IsNamespaced() bool

IsNamespaced indicates if the policy is namespace scoped

func (*ClusterCleanupPolicy) Validate added in v1.10.5 

func (p *ClusterCleanupPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList)

Validate implements programmatic validation

type ClusterCleanupPolicyList added in v1.10.5 

type ClusterCleanupPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`
	Items           []ClusterCleanupPolicy `json:"items"`
}

ClusterCleanupPolicyList is a list of ClusterCleanupPolicy instances.

func (*ClusterCleanupPolicyList) DeepCopy added in v1.10.5 

func (in *ClusterCleanupPolicyList) DeepCopy() *ClusterCleanupPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCleanupPolicyList.

func (*ClusterCleanupPolicyList) DeepCopyInto added in v1.10.5 

func (in *ClusterCleanupPolicyList) DeepCopyInto(out *ClusterCleanupPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterCleanupPolicyList) DeepCopyObject added in v1.10.5 

func (in *ClusterCleanupPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ClusterPolicy 

type ClusterPolicy struct {
	metav1.TypeMeta   `json:",inline,omitempty" yaml:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`

	// Spec declares policy behaviors.
	Spec Spec `json:"spec" yaml:"spec"`

	// Status contains policy runtime data.
	// +optional
	Status kyvernov1.PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
}

ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.

func (*ClusterPolicy) AdmissionProcessingEnabled added in v1.10.5 

func (p *ClusterPolicy) AdmissionProcessingEnabled() bool

AdmissionProcessingEnabled checks if admission is set to true

func (*ClusterPolicy) BackgroundProcessingEnabled 

func (p *ClusterPolicy) BackgroundProcessingEnabled() bool

BackgroundProcessingEnabled checks if background is set to true

func (*ClusterPolicy) DeepCopy 

func (in *ClusterPolicy) DeepCopy() *ClusterPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicy.

func (*ClusterPolicy) DeepCopyInto 

func (in *ClusterPolicy) DeepCopyInto(out *ClusterPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterPolicy) DeepCopyObject 

func (in *ClusterPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ClusterPolicy) GetKind 

func (p *ClusterPolicy) GetKind() string

func (*ClusterPolicy) GetSpec 

func (p *ClusterPolicy) GetSpec() *Spec

GetSpec returns the policy spec

func (*ClusterPolicy) HasAutoGenAnnotation 

func (p *ClusterPolicy) HasAutoGenAnnotation() bool

HasAutoGenAnnotation checks if a policy has auto-gen annotation

func (*ClusterPolicy) HasGenerate 

func (p *ClusterPolicy) HasGenerate() bool

HasGenerate checks for generate rule types

func (*ClusterPolicy) HasMutate 

func (p *ClusterPolicy) HasMutate() bool

HasMutate checks for mutate rule types

func (*ClusterPolicy) HasMutateOrValidateOrGenerate 

func (p *ClusterPolicy) HasMutateOrValidateOrGenerate() bool

HasMutateOrValidateOrGenerate checks for rule types

func (*ClusterPolicy) HasValidate 

func (p *ClusterPolicy) HasValidate() bool

HasValidate checks for validate rule types

func (*ClusterPolicy) HasVerifyImages 

func (p *ClusterPolicy) HasVerifyImages() bool

HasVerifyImages checks for image verification rule types

func (*ClusterPolicy) IsNamespaced 

func (p *ClusterPolicy) IsNamespaced() bool

IsNamespaced indicates if the policy is namespace scoped

func (*ClusterPolicy) IsReady 

func (p *ClusterPolicy) IsReady() bool

IsReady indicates if the policy is ready to serve the admission request

func (*ClusterPolicy) Validate 

func (p *ClusterPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList)

Validate implements programmatic validation namespaced means that the policy is bound to a namespace and therefore should not filter/generate cluster wide resources.

type ClusterPolicyList 

type ClusterPolicyList struct {
	metav1.TypeMeta `json:",inline" yaml:",inline"`
	metav1.ListMeta `json:"metadata" yaml:"metadata"`
	Items           []ClusterPolicy `json:"items" yaml:"items"`
}

ClusterPolicyList is a list of ClusterPolicy instances.

func (*ClusterPolicyList) DeepCopy 

func (in *ClusterPolicyList) DeepCopy() *ClusterPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicyList.

func (*ClusterPolicyList) DeepCopyInto 

func (in *ClusterPolicyList) DeepCopyInto(out *ClusterPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterPolicyList) DeepCopyObject 

func (in *ClusterPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type Condition 

type Condition struct {
	// Key is the context entry (using JMESPath) for conditional rule evaluation.
	RawKey *apiextv1.JSON `json:"key,omitempty" yaml:"key,omitempty"`

	// Operator is the conditional operation to perform. Valid operators are:
	// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
	// GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
	// DurationLessThanOrEquals, DurationLessThan
	Operator ConditionOperator `json:"operator,omitempty" yaml:"operator,omitempty"`

	// Value is the conditional value, or set of values. The values can be fixed set
	// or can be variables declared using JMESPath.
	// +optional
	RawValue *apiextv1.JSON `json:"value,omitempty" yaml:"value,omitempty"`

	// Message is an optional display message
	Message string `json:"message,omitempty" yaml:"message,omitempty"`
}

func (*Condition) DeepCopy 

func (in *Condition) DeepCopy() *Condition

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.

func (*Condition) DeepCopyInto 

func (in *Condition) DeepCopyInto(out *Condition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Condition) GetKey added in v1.9.0 

func (c *Condition) GetKey() apiextensions.JSON

func (*Condition) GetValue added in v1.9.0 

func (c *Condition) GetValue() apiextensions.JSON

func (*Condition) SetKey added in v1.9.0 

func (c *Condition) SetKey(in apiextensions.JSON)

func (*Condition) SetValue added in v1.9.0 

func (c *Condition) SetValue(in apiextensions.JSON)

type ConditionOperator 

type ConditionOperator string

ConditionOperator is the operation performed on condition key and value. +kubebuilder:validation:Enum=Equals;NotEquals;AnyIn;AllIn;AnyNotIn;AllNotIn;GreaterThanOrEquals;GreaterThan;LessThanOrEquals;LessThan;DurationGreaterThanOrEquals;DurationGreaterThan;DurationLessThanOrEquals;DurationLessThan

type Deny 

type Deny struct {
	// Multiple conditions can be declared under an `any` or `all` statement.
	// See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
	RawAnyAllConditions *AnyAllConditions `json:"conditions,omitempty" yaml:"conditions,omitempty"`
}

Deny specifies a list of conditions used to pass or fail a validation rule.

func (*Deny) DeepCopy 

func (in *Deny) DeepCopy() *Deny

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Deny.

func (*Deny) DeepCopyInto 

func (in *Deny) DeepCopyInto(out *Deny)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Exception added in v1.10.5 

type Exception struct {
	// PolicyName identifies the policy to which the exception is applied.
	// The policy name uses the format <namespace>/<name> unless it
	// references a ClusterPolicy.
	PolicyName string `json:"policyName" yaml:"policyName"`

	// RuleNames identifies the rules to which the exception is applied.
	RuleNames []string `json:"ruleNames" yaml:"ruleNames"`
}

Exception stores infos about a policy and rules

func (*Exception) Contains added in v1.10.5 

func (p *Exception) Contains(policy string, rule string) bool

Contains returns true if it contains an exception for the given policy/rule pair

func (*Exception) DeepCopy added in v1.10.5 

func (in *Exception) DeepCopy() *Exception

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Exception.

func (*Exception) DeepCopyInto added in v1.10.5 

func (in *Exception) DeepCopyInto(out *Exception)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Exception) Validate added in v1.10.5 

func (p *Exception) Validate(path *field.Path) (errs field.ErrorList)

Validate implements programmatic validation

type ImageVerification 

type ImageVerification struct {
	// Type specifies the method of signature validation. The allowed options
	// are Cosign and Notary. By default Cosign is used if a type is not specified.
	// +kubebuilder:validation:Optional
	Type kyvernov1.ImageVerificationType `json:"type,omitempty" yaml:"type,omitempty"`

	// ImageReferences is a list of matching image reference patterns. At least one pattern in the
	// list must match the image for the rule to apply. Each image reference consists of a registry
	// address (defaults to docker.io), repository, image, and tag (defaults to latest).
	// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
	// +kubebuilder:validation:Optional
	ImageReferences []string `json:"imageReferences,omitempty" yaml:"imageReferences,omitempty"`

	// SkipImageReferences is a list of matching image reference patterns that should be skipped.
	// At least one pattern in the list must match the image for the rule to be skipped. Each image reference
	// consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
	// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
	// +kubebuilder:validation:Optional
	SkipImageReferences []string `json:"skipImageReferences,omitempty" yaml:"skipImageReferences,omitempty"`

	// Attestors specified the required attestors (i.e. authorities)
	// +kubebuilder:validation:Optional
	Attestors []kyvernov1.AttestorSet `json:"attestors,omitempty" yaml:"attestors,omitempty"`

	// Attestations are optional checks for signed in-toto Statements used to verify the image.
	// See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
	// OCI registry and decodes them into a list of Statement declarations.
	Attestations []kyvernov1.Attestation `json:"attestations,omitempty" yaml:"attestations,omitempty"`

	// Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
	// If specified Repository will override the default OCI image repository configured for the installation.
	// The repository can also be overridden per Attestor or Attestation.
	Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`

	// MutateDigest enables replacement of image tags with digests.
	// Defaults to true.
	// +kubebuilder:default=true
	// +kubebuilder:validation:Optional
	MutateDigest bool `json:"mutateDigest" yaml:"mutateDigest"`

	// VerifyDigest validates that images have a digest.
	// +kubebuilder:default=true
	// +kubebuilder:validation:Optional
	VerifyDigest bool `json:"verifyDigest" yaml:"verifyDigest"`

	// Required validates that images are verified i.e. have matched passed a signature or attestation check.
	// +kubebuilder:default=true
	// +kubebuilder:validation:Optional
	Required bool `json:"required" yaml:"required"`

	// ImageRegistryCredentials provides credentials that will be used for authentication with registry
	// +kubebuilder:validation:Optional
	ImageRegistryCredentials *kyvernov1.ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`

	// UseCache enables caching of image verify responses for this rule
	// +kubebuilder:default=true
	// +kubebuilder:validation:Optional
	UseCache bool `json:"useCache" yaml:"useCache"`
}

ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration.

func (*ImageVerification) DeepCopy 

func (in *ImageVerification) DeepCopy() *ImageVerification

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageVerification.

func (*ImageVerification) DeepCopyInto 

func (in *ImageVerification) DeepCopyInto(out *ImageVerification)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ImageVerification) Validate 

func (iv *ImageVerification) Validate(isAuditFailureAction bool, path *field.Path) (errs field.ErrorList)

Validate implements programmatic validation

type MatchResources 

type MatchResources struct {
	// Any allows specifying resources which will be ORed
	// +optional
	Any kyvernov1.ResourceFilters `json:"any,omitempty" yaml:"any,omitempty"`

	// All allows specifying resources which will be ANDed
	// +optional
	All kyvernov1.ResourceFilters `json:"all,omitempty" yaml:"all,omitempty"`
}

MatchResources is used to specify resource and admission review request data for which a policy rule is applicable.

func (*MatchResources) DeepCopy 

func (in *MatchResources) DeepCopy() *MatchResources

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResources.

func (*MatchResources) DeepCopyInto 

func (in *MatchResources) DeepCopyInto(out *MatchResources)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*MatchResources) GetKinds 

func (m *MatchResources) GetKinds() []string

GetKinds returns all kinds

func (*MatchResources) Validate 

func (m *MatchResources) Validate(path *field.Path, namespaced bool, clusterResources sets.Set[string]) (errs field.ErrorList)

Validate implements programmatic validation

func (*MatchResources) ValidateNoUserInfo added in v1.9.0 

func (m *MatchResources) ValidateNoUserInfo(path *field.Path) (errs field.ErrorList)

ValidateNoUserInfo verifies that no user info is used

func (*MatchResources) ValidateResourceWithNoUserInfo added in v1.10.0 

func (m *MatchResources) ValidateResourceWithNoUserInfo(path *field.Path, namespaced bool, clusterResources sets.Set[string]) (errs field.ErrorList)

ValidateResourceWithNoUserInfo implements programmatic validation and verifies that no user info is used

type Policy 

type Policy struct {
	metav1.TypeMeta   `json:",inline,omitempty" yaml:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`

	// Spec defines policy behaviors and contains one or more rules.
	Spec Spec `json:"spec" yaml:"spec"`

	// Status contains policy runtime data.
	// +optional
	Status kyvernov1.PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
}

Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.

func (*Policy) AdmissionProcessingEnabled added in v1.10.5 

func (p *Policy) AdmissionProcessingEnabled() bool

AdmissionProcessingEnabled checks if admission is set to true

func (*Policy) BackgroundProcessingEnabled 

func (p *Policy) BackgroundProcessingEnabled() bool

BackgroundProcessingEnabled checks if background is set to true

func (*Policy) DeepCopy 

func (in *Policy) DeepCopy() *Policy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.

func (*Policy) DeepCopyInto 

func (in *Policy) DeepCopyInto(out *Policy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Policy) DeepCopyObject 

func (in *Policy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*Policy) GetKind 

func (p *Policy) GetKind() string

func (*Policy) GetSpec 

func (p *Policy) GetSpec() *Spec

GetSpec returns the policy spec

func (*Policy) HasAutoGenAnnotation 

func (p *Policy) HasAutoGenAnnotation() bool

HasAutoGenAnnotation checks if a policy has auto-gen annotation

func (*Policy) HasGenerate 

func (p *Policy) HasGenerate() bool

HasGenerate checks for generate rule types

func (*Policy) HasMutate 

func (p *Policy) HasMutate() bool

HasMutate checks for mutate rule types

func (*Policy) HasMutateOrValidateOrGenerate 

func (p *Policy) HasMutateOrValidateOrGenerate() bool

HasMutateOrValidateOrGenerate checks for rule types

func (*Policy) HasValidate 

func (p *Policy) HasValidate() bool

HasValidate checks for validate rule types

func (*Policy) HasVerifyImages 

func (p *Policy) HasVerifyImages() bool

HasVerifyImages checks for image verification rule types

func (*Policy) IsNamespaced 

func (p *Policy) IsNamespaced() bool

IsNamespaced indicates if the policy is namespace scoped

func (*Policy) IsReady 

func (p *Policy) IsReady() bool

IsReady indicates if the policy is ready to serve the admission request

func (*Policy) Validate 

func (p *Policy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList)

Validate implements programmatic validation. namespaced means that the policy is bound to a namespace and therefore should not filter/generate cluster wide resources.

type PolicyException added in v1.10.5 

type PolicyException struct {
	metav1.TypeMeta   `json:",inline,omitempty" yaml:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`

	// Spec declares policy exception behaviors.
	Spec PolicyExceptionSpec `json:"spec" yaml:"spec"`
}

PolicyException declares resources to be excluded from specified policies.

func (*PolicyException) Contains added in v1.10.5 

func (p *PolicyException) Contains(policy string, rule string) bool

Contains returns true if it contains an exception for the given policy/rule pair

func (*PolicyException) DeepCopy added in v1.10.5 

func (in *PolicyException) DeepCopy() *PolicyException

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyException.

func (*PolicyException) DeepCopyInto added in v1.10.5 

func (in *PolicyException) DeepCopyInto(out *PolicyException)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyException) DeepCopyObject added in v1.10.5 

func (in *PolicyException) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*PolicyException) GetKind added in v1.12.0 

func (p *PolicyException) GetKind() string

func (*PolicyException) HasPodSecurity added in v1.12.0 

func (p *PolicyException) HasPodSecurity() bool

HasPodSecurity checks if podSecurity controls is specified

func (*PolicyException) Validate added in v1.10.5 

func (p *PolicyException) Validate() (errs field.ErrorList)

Validate implements programmatic validation

type PolicyExceptionList added in v1.10.5 

type PolicyExceptionList struct {
	metav1.TypeMeta `json:",inline" yaml:",inline"`
	metav1.ListMeta `json:"metadata" yaml:"metadata"`
	Items           []PolicyException `json:"items" yaml:"items"`
}

PolicyExceptionList is a list of Policy Exceptions

func (*PolicyExceptionList) DeepCopy added in v1.10.5 

func (in *PolicyExceptionList) DeepCopy() *PolicyExceptionList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyExceptionList.

func (*PolicyExceptionList) DeepCopyInto added in v1.10.5 

func (in *PolicyExceptionList) DeepCopyInto(out *PolicyExceptionList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyExceptionList) DeepCopyObject added in v1.10.5 

func (in *PolicyExceptionList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PolicyExceptionSpec added in v1.10.5 

type PolicyExceptionSpec struct {
	// Background controls if exceptions are applied to existing policies during a background scan.
	// Optional. Default value is "true". The value must be set to "false" if the policy rule
	// uses variables that are only available in the admission review request (e.g. user name).
	Background *bool `json:"background,omitempty" yaml:"background,omitempty"`

	// Match defines match clause used to check if a resource applies to the exception
	Match MatchResources `json:"match" yaml:"match"`

	// Conditions are used to determine if a resource applies to the exception by evaluating a
	// set of conditions. The declaration can contain nested `any` or `all` statements.
	// +optional
	Conditions *AnyAllConditions `json:"conditions,omitempty"`

	// Exceptions is a list policy/rules to be excluded
	Exceptions []Exception `json:"exceptions" yaml:"exceptions"`

	// PodSecurity specifies the Pod Security Standard controls to be excluded.
	// Applicable only to policies that have validate.podSecurity subrule.
	// +optional
	PodSecurity []kyvernov1.PodSecurityStandard `json:"podSecurity,omitempty" yaml:"podSecurity,omitempty"`
}

PolicyExceptionSpec stores policy exception spec

func (*PolicyExceptionSpec) BackgroundProcessingEnabled added in v1.10.5 

func (p *PolicyExceptionSpec) BackgroundProcessingEnabled() bool

func (*PolicyExceptionSpec) Contains added in v1.10.5 

func (p *PolicyExceptionSpec) Contains(policy string, rule string) bool

Contains returns true if it contains an exception for the given policy/rule pair

func (*PolicyExceptionSpec) DeepCopy added in v1.10.5 

func (in *PolicyExceptionSpec) DeepCopy() *PolicyExceptionSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyExceptionSpec.

func (*PolicyExceptionSpec) DeepCopyInto added in v1.10.5 

func (in *PolicyExceptionSpec) DeepCopyInto(out *PolicyExceptionSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyExceptionSpec) Validate added in v1.10.5 

func (p *PolicyExceptionSpec) Validate(path *field.Path) (errs field.ErrorList)

Validate implements programmatic validation

type PolicyList 

type PolicyList struct {
	metav1.TypeMeta `json:",inline" yaml:",inline"`
	metav1.ListMeta `json:"metadata" yaml:"metadata"`
	Items           []Policy `json:"items" yaml:"items"`
}

PolicyList is a list of Policy instances.

func (*PolicyList) DeepCopy 

func (in *PolicyList) DeepCopy() *PolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyList.

func (*PolicyList) DeepCopyInto 

func (in *PolicyList) DeepCopyInto(out *PolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyList) DeepCopyObject 

func (in *PolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ResourceDescription 

type ResourceDescription struct {
	// Kinds is a list of resource kinds.
	// +optional
	Kinds []string `json:"kinds,omitempty" yaml:"kinds,omitempty"`

	// Names are the names of the resources. Each name supports wildcard characters
	// "*" (matches zero or many characters) and "?" (at least one character).
	// +optional
	Names []string `json:"names,omitempty" yaml:"names,omitempty"`

	// Namespaces is a list of namespaces names. Each name supports wildcard characters
	// "*" (matches zero or many characters) and "?" (at least one character).
	// +optional
	Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"`

	// Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
	// and values support the wildcard characters "*" (matches zero or many characters) and
	// "?" (matches at least one character).
	// +optional
	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`

	// Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
	// characters `*` (matches zero or many characters) and `?` (matches one character).
	// Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
	// using ["*" : "*"] matches any key and value but does not match an empty label set.
	// +optional
	Selector *metav1.LabelSelector `json:"selector,omitempty" yaml:"selector,omitempty"`

	// NamespaceSelector is a label selector for the resource namespace. Label keys and values
	// in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
	// and `?` (matches one character).Wildcards allows writing label selectors like
	// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
	// does not match an empty label set.
	// +optional
	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" yaml:"namespaceSelector,omitempty"`

	// Operations can contain values ["CREATE, "UPDATE", "CONNECT", "DELETE"], which are used to match a specific action.
	// +optional
	Operations []kyvernov1.AdmissionOperation `json:"operations,omitempty" yaml:"operations,omitempty"`
}

ResourceDescription contains criteria used to match resources.

func (*ResourceDescription) DeepCopy 

func (in *ResourceDescription) DeepCopy() *ResourceDescription

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceDescription.

func (*ResourceDescription) DeepCopyInto 

func (in *ResourceDescription) DeepCopyInto(out *ResourceDescription)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (ResourceDescription) GetOperations added in v1.10.0 

func (r ResourceDescription) GetOperations() []string

func (*ResourceDescription) Validate 

func (r *ResourceDescription) Validate(path *field.Path, namespaced bool, clusterResources sets.Set[string]) (errs field.ErrorList)

Validate implements programmatic validation

type ResourceFilter 

type ResourceFilter struct {
	// UserInfo contains information about the user performing the operation.
	// +optional
	kyvernov1.UserInfo `json:",omitempty" yaml:",omitempty"`

	// ResourceDescription contains information about the resource being created or modified.
	ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"`
}

ResourceFilter allow users to "AND" or "OR" between resources

func (*ResourceFilter) DeepCopy 

func (in *ResourceFilter) DeepCopy() *ResourceFilter

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceFilter.

func (*ResourceFilter) DeepCopyInto 

func (in *ResourceFilter) DeepCopyInto(out *ResourceFilter)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ResourceFilters 

type ResourceFilters []ResourceFilter

ResourceFilters is a slice of ResourceFilter

func (ResourceFilters) DeepCopy 

func (in ResourceFilters) DeepCopy() ResourceFilters

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceFilters.

func (ResourceFilters) DeepCopyInto 

func (in ResourceFilters) DeepCopyInto(out *ResourceFilters)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Rule 

type Rule struct {
	// Name is a label to identify the rule, It must be unique within the policy.
	// +kubebuilder:validation:MaxLength=63
	Name string `json:"name" yaml:"name"`

	// Context defines variables and data sources that can be used during rule execution.
	// +optional
	Context []kyvernov1.ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`

	// MatchResources defines when this policy rule should be applied. The match
	// criteria can include resource information (e.g. kind, name, namespace, labels)
	// and admission review request information like the user name or role.
	// At least one kind is required.
	MatchResources MatchResources `json:"match,omitempty" yaml:"match,omitempty"`

	// ExcludeResources defines when this policy rule should not be applied. The exclude
	// criteria can include resource information (e.g. kind, name, namespace, labels)
	// and admission review request information like the name or role.
	// +optional
	ExcludeResources MatchResources `json:"exclude,omitempty" yaml:"exclude,omitempty"`

	// ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
	// This config is only valid for verifyImages rules.
	// +optional
	ImageExtractors kyvernov1.ImageExtractorConfigs `json:"imageExtractors,omitempty" yaml:"imageExtractors,omitempty"`

	// Preconditions are used to determine if a policy rule should be applied by evaluating a
	// set of conditions. The declaration can contain nested `any` or `all` statements.
	// See: https://kyverno.io/docs/writing-policies/preconditions/
	// +optional
	RawAnyAllConditions *AnyAllConditions `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`

	// CELPreconditions are used to determine if a policy rule should be applied by evaluating a
	// set of CEL conditions. It can only be used with the validate.cel subrule
	// +optional
	CELPreconditions []admissionregistrationv1.MatchCondition `json:"celPreconditions,omitempty" yaml:"celPreconditions,omitempty"`

	// Mutation is used to modify matching resources.
	// +optional
	Mutation kyvernov1.Mutation `json:"mutate,omitempty" yaml:"mutate,omitempty"`

	// Validation is used to validate matching resources.
	// +optional
	Validation Validation `json:"validate,omitempty" yaml:"validate,omitempty"`

	// Generation is used to create new resources.
	// +optional
	Generation kyvernov1.Generation `json:"generate,omitempty" yaml:"generate,omitempty"`

	// VerifyImages is used to verify image signatures and mutate them to add a digest
	// +optional
	VerifyImages []ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`

	// SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
	// The default value is set to "true", it must be set to "false" to apply
	// generate and mutateExisting rules to those requests.
	// +kubebuilder:default=true
	// +kubebuilder:validation:Optional
	SkipBackgroundRequests bool `json:"skipBackgroundRequests,omitempty" yaml:"skipBackgroundRequests,omitempty"`
}

Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude.

func (*Rule) DeepCopy 

func (in *Rule) DeepCopy() *Rule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.

func (*Rule) DeepCopyInto 

func (in *Rule) DeepCopyInto(out *Rule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Rule) GetGenerateTypeAndSync added in v1.10.1 

func (r *Rule) GetGenerateTypeAndSync() (_ kyvernov1.GenerateType, sync bool, orphanDownstream bool)

func (*Rule) HasGenerate 

func (r *Rule) HasGenerate() bool

HasGenerate checks for generate rule

func (*Rule) HasMutate 

func (r *Rule) HasMutate() bool

HasMutate checks for mutate rule

func (*Rule) HasMutateExisting added in v1.12.0 

func (r *Rule) HasMutateExisting() bool

HasMutateExisting checks if the mutate rule applies to existing resources

func (*Rule) HasMutateStandard added in v1.12.0 

func (r *Rule) HasMutateStandard() bool

HasMutate checks for standard admission mutate rule

func (*Rule) HasValidate 

func (r *Rule) HasValidate() bool

HasValidate checks for validate rule

func (*Rule) HasValidateCEL added in v1.10.5 

func (r *Rule) HasValidateCEL() bool

HasValidateCEL checks for validate.cel rule

func (Rule) HasValidatePodSecurity added in v1.10.0 

func (r Rule) HasValidatePodSecurity() bool

HasValidatePodSecurity checks for validate.podSecurity rule

func (*Rule) HasVerifyImageChecks added in v1.10.0 

func (r *Rule) HasVerifyImageChecks() bool

HasVerifyImageChecks checks whether the verifyImages rule has validation checks

func (*Rule) HasVerifyImages 

func (r *Rule) HasVerifyImages() bool

HasVerifyImages checks for verifyImages rule

func (Rule) HasVerifyManifests added in v1.10.0 

func (r Rule) HasVerifyManifests() bool

HasVerifyManifests checks for validate.manifests rule

func (*Rule) Validate 

func (r *Rule) Validate(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList)

Validate implements programmatic validation

func (*Rule) ValidateGenerate added in v1.10.0 

func (r *Rule) ValidateGenerate(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList)

func (*Rule) ValidateMatchExcludeConflict 

func (r *Rule) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorList)

ValidateMatchExcludeConflict checks if the resultant of match and exclude block is not an empty set

func (*Rule) ValidateRuleType 

func (r *Rule) ValidateRuleType(path *field.Path) (errs field.ErrorList)

ValidateRuleType checks only one type of rule is defined per rule

type Spec 

type Spec struct {
	// Rules is a list of Rule instances. A Policy contains multiple rules and
	// each rule can validate, mutate, or generate resources.
	Rules []Rule `json:"rules,omitempty" yaml:"rules,omitempty"`

	// ApplyRules controls how rules in a policy are applied. Rule are processed in
	// the order of declaration. When set to `One` processing stops after a rule has
	// been applied i.e. the rule matches and results in a pass, fail, or error. When
	// set to `All` all rules in the policy are processed. The default is `All`.
	// +optional
	ApplyRules *kyvernov1.ApplyRulesType `json:"applyRules,omitempty" yaml:"applyRules,omitempty"`

	// FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
	// Rules within the same policy share the same failure behavior.
	// Allowed values are Ignore or Fail. Defaults to Fail.
	// +optional
	FailurePolicy *kyvernov1.FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`

	// ValidationFailureAction defines if a validation policy rule violation should block
	// the admission review request (enforce), or allow (audit) the admission review request
	// and report an error in a policy report. Optional.
	// Allowed values are audit or enforce. The default value is "Audit".
	// +optional
	// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
	// +kubebuilder:default=Audit
	ValidationFailureAction kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`

	// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
	// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
	// +optional
	ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`

	// Admission controls if rules are applied during admission.
	// Optional. Default value is "true".
	// +optional
	// +kubebuilder:default=true
	Admission *bool `json:"admission,omitempty" yaml:"admission,omitempty"`

	// Background controls if rules are applied to existing resources during a background scan.
	// Optional. Default value is "true". The value must be set to "false" if the policy rule
	// uses variables that are only available in the admission review request (e.g. user name).
	// +optional
	// +kubebuilder:default=true
	Background *bool `json:"background,omitempty" yaml:"background,omitempty"`

	// Deprecated.
	SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"`

	// WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
	// After the configured time expires, the admission request may fail, or may simply ignore the policy results,
	// based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
	WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"`

	// MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
	// Default value is "false".
	// +optional
	MutateExistingOnPolicyUpdate bool `json:"mutateExistingOnPolicyUpdate,omitempty" yaml:"mutateExistingOnPolicyUpdate,omitempty"`

	// Deprecated, use generateExisting instead
	// +optional
	GenerateExistingOnPolicyUpdate *bool `json:"generateExistingOnPolicyUpdate,omitempty" yaml:"generateExistingOnPolicyUpdate,omitempty"`

	// GenerateExisting controls whether to trigger generate rule in existing resources
	// If is set to "true" generate rule will be triggered and applied to existing matched resources.
	// Defaults to "false" if not specified.
	// +optional
	GenerateExisting bool `json:"generateExisting,omitempty" yaml:"generateExisting,omitempty"`

	// UseServerSideApply controls whether to use server-side apply for generate rules
	// If is set to "true" create & update for generate rules will use apply instead of create/update.
	// Defaults to "false" if not specified.
	// +optional
	UseServerSideApply bool `json:"useServerSideApply,omitempty" yaml:"useServerSideApply,omitempty"`

	// WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
	// Requires Kubernetes 1.27 or later.
	// +optional
	WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"`
}

Spec contains a list of Rule instances and other policy controls.

func (*Spec) AdmissionProcessingEnabled added in v1.10.5 

func (s *Spec) AdmissionProcessingEnabled() bool

AdmissionProcessingEnabled checks if admission is set to true

func (*Spec) BackgroundProcessingEnabled 

func (s *Spec) BackgroundProcessingEnabled() bool

BackgroundProcessingEnabled checks if background is set to true

func (*Spec) CustomWebhookConfiguration added in v1.12.0 

func (s *Spec) CustomWebhookConfiguration() bool

func (*Spec) DeepCopy 

func (in *Spec) DeepCopy() *Spec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Spec.

func (*Spec) DeepCopyInto 

func (in *Spec) DeepCopyInto(out *Spec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Spec) GetApplyRules 

func (s *Spec) GetApplyRules() kyvernov1.ApplyRulesType

GetFailurePolicy returns the failure policy to be applied

func (*Spec) GetFailurePolicy 

func (s *Spec) GetFailurePolicy() kyvernov1.FailurePolicyType

GetFailurePolicy returns the failure policy to be applied

func (*Spec) GetMutateExistingOnPolicyUpdate 

func (s *Spec) GetMutateExistingOnPolicyUpdate() bool

GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value

func (*Spec) HasGenerate 

func (s *Spec) HasGenerate() bool

HasGenerate checks for generate rule types

func (*Spec) HasMutate 

func (s *Spec) HasMutate() bool

HasMutate checks for mutate rule types

func (*Spec) HasMutateExisting added in v1.12.0 

func (s *Spec) HasMutateExisting() bool

HasMutate checks for mutate existing rule types

func (*Spec) HasMutateOrValidateOrGenerate 

func (s *Spec) HasMutateOrValidateOrGenerate() bool

HasMutateOrValidateOrGenerate checks for rule types

func (*Spec) HasMutateStandard added in v1.12.0 

func (s *Spec) HasMutateStandard() bool

HasMutate checks for standard admission mutate rule

func (*Spec) HasValidate 

func (s *Spec) HasValidate() bool

HasValidate checks for validate rule types

func (*Spec) HasVerifyImageChecks added in v1.10.0 

func (s *Spec) HasVerifyImageChecks() bool

HasVerifyImageChecks checks for image verification rules invoked during resource validation

func (*Spec) HasVerifyImages 

func (s *Spec) HasVerifyImages() bool

HasVerifyImages checks for image verification rules invoked during resource mutation

func (*Spec) HasVerifyManifests added in v1.10.0 

func (s *Spec) HasVerifyManifests() bool

HasVerifyManifests checks for image verification rules invoked during resource mutation

func (*Spec) IsGenerateExisting added in v1.10.0 

func (s *Spec) IsGenerateExisting() bool

IsGenerateExisting return GenerateExisting set value

func (*Spec) SetRules 

func (s *Spec) SetRules(rules []Rule)

func (*Spec) Validate 

func (s *Spec) Validate(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList)

Validate implements programmatic validation

func (*Spec) ValidateDeprecatedFields added in v1.10.0 

func (s *Spec) ValidateDeprecatedFields(path *field.Path) (errs field.ErrorList)

func (*Spec) ValidateRuleNames 

func (s *Spec) ValidateRuleNames(path *field.Path) (errs field.ErrorList)

ValidateRuleNames checks if the rule names are unique across a policy

func (*Spec) ValidateRules 

func (s *Spec) ValidateRules(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList)

ValidateRules implements programmatic validation of Rules

type Validation 

type Validation struct {
	// Message specifies a custom message to be displayed on failure.
	// +optional
	Message string `json:"message,omitempty" yaml:"message,omitempty"`

	// Manifest specifies conditions for manifest verification
	// +optional
	Manifests *kyvernov1.Manifests `json:"manifests,omitempty" yaml:"manifests,omitempty"`

	// ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.
	// +optional
	ForEachValidation []kyvernov1.ForEachValidation `json:"foreach,omitempty" yaml:"foreach,omitempty"`

	// Pattern specifies an overlay-style pattern used to check resources.
	// +optional
	RawPattern *apiextv1.JSON `json:"pattern,omitempty" yaml:"pattern,omitempty"`

	// AnyPattern specifies list of validation patterns. At least one of the patterns
	// must be satisfied for the validation rule to succeed.
	// +optional
	RawAnyPattern *apiextv1.JSON `json:"anyPattern,omitempty" yaml:"anyPattern,omitempty"`

	// Deny defines conditions used to pass or fail a validation rule.
	// +optional
	Deny *Deny `json:"deny,omitempty" yaml:"deny,omitempty"`

	// PodSecurity applies exemptions for Kubernetes Pod Security admission
	// by specifying exclusions for Pod Security Standards controls.
	// +optional
	PodSecurity *kyvernov1.PodSecurity `json:"podSecurity,omitempty" yaml:"podSecurity,omitempty"`

	// CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
	// +optional
	CEL *kyvernov1.CEL `json:"cel,omitempty" yaml:"cel,omitempty"`
}

Validation defines checks to be performed on matching resources.

func (*Validation) DeepCopy 

func (in *Validation) DeepCopy() *Validation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Validation.

func (*Validation) DeepCopyInto 

func (in *Validation) DeepCopyInto(out *Validation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type WebhookConfiguration added in v1.12.0 

type WebhookConfiguration struct {
	// MatchCondition configures admission webhook matchConditions.
	// +optional
	MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty" yaml:"matchConditions,omitempty"`
}

WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration.

func (*WebhookConfiguration) DeepCopy added in v1.12.0 

func (in *WebhookConfiguration) DeepCopy() *WebhookConfiguration

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookConfiguration.

func (*WebhookConfiguration) DeepCopyInto added in v1.12.0 

func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.