v1

package
v1.12.3-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 30, 2024 License: Apache-2.0 Imports: 27 Imported by: 19

Documentation

Index

Constants

View Source 
const (
	Cosign ImageVerificationType = "Cosign"
	Notary ImageVerificationType = "Notary"

	DEFAULT ImageRegistryCredentialsProvidersType = "default"
	AWS     ImageRegistryCredentialsProvidersType = "amazon"
	ACR     ImageRegistryCredentialsProvidersType = "azure"
	GCP     ImageRegistryCredentialsProvidersType = "google"
	GHCR    ImageRegistryCredentialsProvidersType = "github"
)
View Source 
const (
	// PolicyReasonSucceeded is the reason set when the policy is ready
	PolicyReasonSucceeded = "Succeeded"
	// PolicyReasonSucceeded is the reason set when the policy is not ready
	PolicyReasonFailed = "Failed"
)
View Source 
const GroupName = "kyverno.io"

GroupName specifies the group name used to register the objects.

View Source 
const (
	// PolicyConditionReady means that the policy is ready
	PolicyConditionReady = "Ready"
)

Variables

View Source 
var (
	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
	SchemeBuilder runtime.SchemeBuilder

	// Depreciated: use Install instead
	AddToScheme = localSchemeBuilder.AddToScheme
	Install     = localSchemeBuilder.AddToScheme
)
View Source 
var ConditionOperators = map[string]ConditionOperator{
	"Equal":                       ConditionOperator("Equal"),
	"Equals":                      ConditionOperator("Equals"),
	"NotEqual":                    ConditionOperator("NotEqual"),
	"NotEquals":                   ConditionOperator("NotEquals"),
	"In":                          ConditionOperator("In"),
	"AnyIn":                       ConditionOperator("AnyIn"),
	"AllIn":                       ConditionOperator("AllIn"),
	"NotIn":                       ConditionOperator("NotIn"),
	"AnyNotIn":                    ConditionOperator("AnyNotIn"),
	"AllNotIn":                    ConditionOperator("AllNotIn"),
	"GreaterThanOrEquals":         ConditionOperator("GreaterThanOrEquals"),
	"GreaterThan":                 ConditionOperator("GreaterThan"),
	"LessThanOrEquals":            ConditionOperator("LessThanOrEquals"),
	"LessThan":                    ConditionOperator("LessThan"),
	"DurationGreaterThanOrEquals": ConditionOperator("DurationGreaterThanOrEquals"),
	"DurationGreaterThan":         ConditionOperator("DurationGreaterThan"),
	"DurationLessThanOrEquals":    ConditionOperator("DurationLessThanOrEquals"),
	"DurationLessThan":            ConditionOperator("DurationLessThan"),
}

ConditionOperators stores all the valid ConditionOperator types as key-value pairs.

"Equal" evaluates if the key is equal to the value. (Deprecated; Use Equals instead) "Equals" evaluates if the key is equal to the value. "NotEqual" evaluates if the key is not equal to the value. (Deprecated; Use NotEquals instead) "NotEquals" evaluates if the key is not equal to the value. "In" evaluates if the key is contained in the set of values. "AnyIn" evaluates if any of the keys are contained in the set of values. "AllIn" evaluates if all the keys are contained in the set of values. "NotIn" evaluates if the key is not contained in the set of values. "AnyNotIn" evaluates if any of the keys are not contained in the set of values. "AllNotIn" evaluates if all the keys are not contained in the set of values. "GreaterThanOrEquals" evaluates if the key (numeric) is greater than or equal to the value (numeric). "GreaterThan" evaluates if the key (numeric) is greater than the value (numeric). "LessThanOrEquals" evaluates if the key (numeric) is less than or equal to the value (numeric). "LessThan" evaluates if the key (numeric) is less than the value (numeric). "DurationGreaterThanOrEquals" evaluates if the key (duration) is greater than or equal to the value (duration) "DurationGreaterThan" evaluates if the key (duration) is greater than the value (duration) "DurationLessThanOrEquals" evaluates if the key (duration) is less than or equal to the value (duration) "DurationLessThan" evaluates if the key (duration) is greater than the value (duration)

View Source 
var GroupVersion = v1.GroupVersion{Group: GroupName, Version: "v1"}

GroupVersion specifies the group and the version used to register the objects.

View Source 
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}

SchemeGroupVersion is group version used to register these objects Deprecated: use GroupVersion instead.

Functions

func FromJSON added in v1.7.0 

func FromJSON(in *apiextv1.JSON) apiextensions.JSON

func RegisterDefaults added in v1.10.5 

func RegisterDefaults(scheme *runtime.Scheme) error

RegisterDefaults adds defaulters functions to the given scheme. Public to allow building arbitrary schemes. All generated defaulters are covering - they call all nested defaulters.

func Resource 

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

func ToJSON added in v1.7.0 

func ToJSON(in apiextensions.JSON) *apiextv1.JSON

func ValidateAutogenAnnotation added in v1.7.0 

func ValidateAutogenAnnotation(path *field.Path, annotations map[string]string) (errs field.ErrorList)

ValidatePolicyName validates policy name

func ValidatePolicyName added in v1.7.0 

func ValidatePolicyName(path *field.Path, name string) (errs field.ErrorList)

ValidatePolicyName validates policy name

Types

type APICall 

type APICall struct {
	// URLPath is the URL path to be used in the HTTP GET or POST request to the
	// Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
	// The format required is the same format used by the `kubectl get --raw` command.
	// See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
	// for details.
	// It's mutually exclusive with the Service field.
	// +kubebuilder:validation:Optional
	URLPath string `json:"urlPath" yaml:"urlPath"`

	// Method is the HTTP request type (GET or POST).
	// +kubebuilder:default=GET
	Method Method `json:"method,omitempty" yaml:"method,omitempty"`

	// The data object specifies the POST data sent to the server.
	// Only applicable when the method field is set to POST.
	// +kubebuilder:validation:Optional
	Data []RequestData `json:"data,omitempty" yaml:"data,omitempty"`

	// Service is an API call to a JSON web service.
	// This is used for non-Kubernetes API server calls.
	// It's mutually exclusive with the URLPath field.
	// +kubebuilder:validation:Optional
	Service *ServiceCall `json:"service,omitempty" yaml:"service,omitempty"`
}

func (*APICall) DeepCopy 

func (in *APICall) DeepCopy() *APICall

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APICall.

func (*APICall) DeepCopyInto 

func (in *APICall) DeepCopyInto(out *APICall)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AdmissionOperation added in v1.10.0 

type AdmissionOperation admissionv1.Operation

AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action. +kubebuilder:validation:Enum=CREATE;CONNECT;UPDATE;DELETE 

const (
	Create  AdmissionOperation = AdmissionOperation(admissionv1.Create)
	Update  AdmissionOperation = AdmissionOperation(admissionv1.Update)
	Delete  AdmissionOperation = AdmissionOperation(admissionv1.Delete)
	Connect AdmissionOperation = AdmissionOperation(admissionv1.Connect)
)

type AnyAllConditions 

type AnyAllConditions struct {
	// AnyConditions enable variable-based conditional rule execution. This is useful for
	// finer control of when an rule is applied. A condition can reference object data
	// using JMESPath notation.
	// Here, at least one of the conditions need to pass
	// +optional
	AnyConditions []Condition `json:"any,omitempty" yaml:"any,omitempty"`

	// AllConditions enable variable-based conditional rule execution. This is useful for
	// finer control of when an rule is applied. A condition can reference object data
	// using JMESPath notation.
	// Here, all of the conditions need to pass
	// +optional
	AllConditions []Condition `json:"all,omitempty" yaml:"all,omitempty"`
}

AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. AnyConditions get fulfilled when at least one of its sub-conditions passes. AllConditions get fulfilled only when all of its sub-conditions pass.

func (*AnyAllConditions) DeepCopy 

func (in *AnyAllConditions) DeepCopy() *AnyAllConditions

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AnyAllConditions.

func (*AnyAllConditions) DeepCopyInto 

func (in *AnyAllConditions) DeepCopyInto(out *AnyAllConditions)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ApplyRulesType added in v1.8.0 

type ApplyRulesType string

ApplyRulesType controls whether processing stops after one rule is applied or all rules are applied. +kubebuilder:validation:Enum=All;One 

const (
	// ApplyAll applies all rules in a policy that match.
	ApplyAll ApplyRulesType = "All"
	// ApplyOne applies only the first matching rule in the policy.
	ApplyOne ApplyRulesType = "One"
)

type Attestation 

type Attestation struct {
	// Deprecated in favour of 'Type', to be removed soon
	// +kubebuilder:validation:Optional
	PredicateType string `json:"predicateType" yaml:"predicateType"`

	// Type defines the type of attestation contained within the Statement.
	// +kubebuilder:validation:Optional
	Type string `json:"type" yaml:"type"`

	// Attestors specify the required attestors (i.e. authorities).
	// +kubebuilder:validation:Optional
	Attestors []AttestorSet `json:"attestors" yaml:"attestors"`

	// Conditions are used to verify attributes within a Predicate. If no Conditions are specified
	// the attestation check is satisfied as long there are predicates that match the predicate type.
	// +kubebuilder:validation:Optional
	Conditions []AnyAllConditions `json:"conditions,omitempty" yaml:"conditions,omitempty"`
}

Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements.

func (*Attestation) DeepCopy 

func (in *Attestation) DeepCopy() *Attestation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Attestation.

func (*Attestation) DeepCopyInto 

func (in *Attestation) DeepCopyInto(out *Attestation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Attestation) Validate added in v1.8.3 

func (a *Attestation) Validate(path *field.Path) (errs field.ErrorList)

type Attestor added in v1.7.0 

type Attestor struct {
	// Keys specifies one or more public keys.
	// +kubebuilder:validation:Optional
	Keys *StaticKeyAttestor `json:"keys,omitempty" yaml:"keys,omitempty"`

	// Certificates specifies one or more certificates.
	// +kubebuilder:validation:Optional
	Certificates *CertificateAttestor `json:"certificates,omitempty" yaml:"certificates,omitempty"`

	// Keyless is a set of attribute used to verify a Sigstore keyless attestor.
	// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
	// +kubebuilder:validation:Optional
	Keyless *KeylessAttestor `json:"keyless,omitempty" yaml:"keyless,omitempty"`

	// Attestor is a nested set of Attestor used to specify a more complex set of match authorities.
	// +kubebuilder:validation:Optional
	Attestor *apiextv1.JSON `json:"attestor,omitempty" yaml:"attestor,omitempty"`

	// Annotations are used for image verification.
	// Every specified key-value pair must exist and match in the verified payload.
	// The payload may contain other key-value pairs.
	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`

	// Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
	// If specified Repository will override other OCI image repository locations for this Attestor.
	Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`
}

func (*Attestor) DeepCopy added in v1.7.0 

func (in *Attestor) DeepCopy() *Attestor

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Attestor.

func (*Attestor) DeepCopyInto added in v1.7.0 

func (in *Attestor) DeepCopyInto(out *Attestor)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Attestor) Validate added in v1.7.0 

func (a *Attestor) Validate(path *field.Path) (errs field.ErrorList)

type AttestorSet added in v1.7.0 

type AttestorSet struct {
	// Count specifies the required number of entries that must match. If the count is null, all entries must match
	// (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
	// value N, then N must be less than or equal to the size of entries, and at least N entries must match.
	// +kubebuilder:validation:Optional
	// +kubebuilder:validation:Minimum:=1
	Count *int `json:"count,omitempty" yaml:"count,omitempty"`

	// Entries contains the available attestors. An attestor can be a static key,
	// attributes for keyless verification, or a nested attestor declaration.
	// +kubebuilder:validation:Optional
	Entries []Attestor `json:"entries,omitempty" yaml:"entries,omitempty"`
}

func AttestorSetUnmarshal added in v1.7.0 

func AttestorSetUnmarshal(o *apiextv1.JSON) (*AttestorSet, error)

func (*AttestorSet) DeepCopy added in v1.7.0 

func (in *AttestorSet) DeepCopy() *AttestorSet

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttestorSet.

func (*AttestorSet) DeepCopyInto added in v1.7.0 

func (in *AttestorSet) DeepCopyInto(out *AttestorSet)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (AttestorSet) RequiredCount added in v1.10.0 

func (as AttestorSet) RequiredCount() int

func (*AttestorSet) Validate added in v1.7.0 

func (as *AttestorSet) Validate(path *field.Path) (errs field.ErrorList)

type AutogenStatus added in v1.7.0 

type AutogenStatus struct {
	// Rules is a list of Rule instances. It contains auto generated rules added for pod controllers
	Rules []Rule `json:"rules,omitempty" yaml:"rules,omitempty"`
}

AutogenStatus contains autogen status information.

func (*AutogenStatus) DeepCopy added in v1.7.0 

func (in *AutogenStatus) DeepCopy() *AutogenStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutogenStatus.

func (*AutogenStatus) DeepCopyInto added in v1.7.0 

func (in *AutogenStatus) DeepCopyInto(out *AutogenStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CEL added in v1.10.5 

type CEL struct {
	// Expressions is a list of CELExpression types.
	Expressions []v1alpha1.Validation `json:"expressions,omitempty" yaml:"expressions,omitempty"`

	// ParamKind is a tuple of Group Kind and Version.
	// +optional
	ParamKind *v1alpha1.ParamKind `json:"paramKind,omitempty" yaml:"paramKind,omitempty"`

	// ParamRef references a parameter resource.
	// +optional
	ParamRef *v1alpha1.ParamRef `json:"paramRef,omitempty" yaml:"paramRef,omitempty"`

	// AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.
	// +optional
	AuditAnnotations []v1alpha1.AuditAnnotation `json:"auditAnnotations,omitempty" yaml:"auditAnnotations,omitempty"`

	// Variables contain definitions of variables that can be used in composition of other expressions.
	// Each variable is defined as a named CEL expression.
	// The variables defined here will be available under `variables` in other expressions of the policy.
	// +optional
	Variables []v1alpha1.Variable `json:"variables,omitempty" yaml:"variables,omitempty"`
}

CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).

func (*CEL) DeepCopy added in v1.10.5 

func (in *CEL) DeepCopy() *CEL

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CEL.

func (*CEL) DeepCopyInto added in v1.10.5 

func (in *CEL) DeepCopyInto(out *CEL)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CEL) GetParamKind added in v1.10.5 

func (c *CEL) GetParamKind() v1alpha1.ParamKind

func (*CEL) GetParamRef added in v1.10.5 

func (c *CEL) GetParamRef() v1alpha1.ParamRef

func (*CEL) HasParam added in v1.10.5 

func (c *CEL) HasParam() bool

type CTLog added in v1.7.0 

type CTLog struct {
	// IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
	// timestamp. Default is false. Set to true if this was opted out during signing.
	// +kubebuilder:validation:Optional
	IgnoreSCT bool `json:"ignoreSCT,omitempty" yaml:"ignoreSCT,omitempty"`

	// PubKey, if set, is used to validate SCTs against a custom source.
	// +kubebuilder:validation:Optional
	CTLogPubKey string `json:"pubkey,omitempty" yaml:"pubkey,omitempty"`
}

func (*CTLog) DeepCopy added in v1.7.0 

func (in *CTLog) DeepCopy() *CTLog

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CTLog.

func (*CTLog) DeepCopyInto added in v1.7.0 

func (in *CTLog) DeepCopyInto(out *CTLog)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateAttestor added in v1.7.0 

type CertificateAttestor struct {
	// Cert is an optional PEM-encoded public certificate.
	// +kubebuilder:validation:Optional
	Certificate string `json:"cert,omitempty" yaml:"cert,omitempty"`

	// CertChain is an optional PEM encoded set of certificates used to verify.
	// +kubebuilder:validation:Optional
	CertificateChain string `json:"certChain,omitempty" yaml:"certChain,omitempty"`

	// Rekor provides configuration for the Rekor transparency log service. If an empty object
	// is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
	// +kubebuilder:validation:Optional
	Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`

	// CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
	// Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
	// +kubebuilder:validation:Optional
	CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
}

func (*CertificateAttestor) DeepCopy added in v1.7.0 

func (in *CertificateAttestor) DeepCopy() *CertificateAttestor

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAttestor.

func (*CertificateAttestor) DeepCopyInto added in v1.7.0 

func (in *CertificateAttestor) DeepCopyInto(out *CertificateAttestor)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateAttestor) Validate added in v1.7.0 

func (ca *CertificateAttestor) Validate(path *field.Path) (errs field.ErrorList)

type CloneFrom 

type CloneFrom struct {
	// Namespace specifies source resource namespace.
	// +optional
	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`

	// Name specifies name of the resource.
	Name string `json:"name,omitempty" yaml:"name,omitempty"`
}

CloneFrom provides the location of the source resource used to generate target resources. The resource kind is derived from the match criteria.

func (*CloneFrom) DeepCopy 

func (in *CloneFrom) DeepCopy() *CloneFrom

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloneFrom.

func (*CloneFrom) DeepCopyInto 

func (in *CloneFrom) DeepCopyInto(out *CloneFrom)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CloneList added in v1.8.0 

type CloneList struct {
	// Namespace specifies source resource namespace.
	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`

	// Kinds is a list of resource kinds.
	Kinds []string `json:"kinds,omitempty" yaml:"kinds,omitempty"`

	// Selector is a label selector. Label keys and values in `matchLabels`.
	// wildcard characters are not supported.
	// +optional
	Selector *metav1.LabelSelector `json:"selector,omitempty" yaml:"selector,omitempty"`
}

func (*CloneList) DeepCopy added in v1.8.0 

func (in *CloneList) DeepCopy() *CloneList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloneList.

func (*CloneList) DeepCopyInto added in v1.8.0 

func (in *CloneList) DeepCopyInto(out *CloneList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ClusterPolicy 

type ClusterPolicy struct {
	metav1.TypeMeta   `json:",inline,omitempty" yaml:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`

	// Spec declares policy behaviors.
	Spec Spec `json:"spec" yaml:"spec"`

	// Status contains policy runtime data.
	// +optional
	Status PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
}

ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.

func (*ClusterPolicy) AdmissionProcessingEnabled added in v1.10.5 

func (p *ClusterPolicy) AdmissionProcessingEnabled() bool

AdmissionProcessingEnabled checks if admission is set to true

func (*ClusterPolicy) BackgroundProcessingEnabled 

func (p *ClusterPolicy) BackgroundProcessingEnabled() bool

BackgroundProcessingEnabled checks if background is set to true

func (*ClusterPolicy) CreateDeepCopy added in v1.7.0 

func (p *ClusterPolicy) CreateDeepCopy() PolicyInterface

func (*ClusterPolicy) DeepCopy 

func (in *ClusterPolicy) DeepCopy() *ClusterPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicy.

func (*ClusterPolicy) DeepCopyInto 

func (in *ClusterPolicy) DeepCopyInto(out *ClusterPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterPolicy) DeepCopyObject 

func (in *ClusterPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ClusterPolicy) GetKind added in v1.7.0 

func (p *ClusterPolicy) GetKind() string

func (*ClusterPolicy) GetSpec added in v1.7.0 

func (p *ClusterPolicy) GetSpec() *Spec

GetSpec returns the policy spec

func (*ClusterPolicy) GetStatus added in v1.8.1 

func (p *ClusterPolicy) GetStatus() *PolicyStatus

GetStatus returns the policy status

func (*ClusterPolicy) HasAutoGenAnnotation 

func (p *ClusterPolicy) HasAutoGenAnnotation() bool

HasAutoGenAnnotation checks if a policy has auto-gen annotation

func (*ClusterPolicy) HasGenerate 

func (p *ClusterPolicy) HasGenerate() bool

HasGenerate checks for generate rule types

func (*ClusterPolicy) HasMutate 

func (p *ClusterPolicy) HasMutate() bool

HasMutate checks for mutate rule types

func (*ClusterPolicy) HasMutateOrValidateOrGenerate 

func (p *ClusterPolicy) HasMutateOrValidateOrGenerate() bool

HasMutateOrValidateOrGenerate checks for rule types

func (*ClusterPolicy) HasValidate 

func (p *ClusterPolicy) HasValidate() bool

HasValidate checks for validate rule types

func (*ClusterPolicy) HasVerifyImages 

func (p *ClusterPolicy) HasVerifyImages() bool

HasVerifyImages checks for image verification rule types

func (*ClusterPolicy) IsNamespaced added in v1.7.0 

func (p *ClusterPolicy) IsNamespaced() bool

IsNamespaced indicates if the policy is namespace scoped

func (*ClusterPolicy) IsReady added in v1.7.0 

func (p *ClusterPolicy) IsReady() bool

IsReady indicates if the policy is ready to serve the admission request

func (*ClusterPolicy) Validate added in v1.7.0 

func (p *ClusterPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList)

Validate implements programmatic validation namespaced means that the policy is bound to a namespace and therefore should not filter/generate cluster wide resources.

type ClusterPolicyList 

type ClusterPolicyList struct {
	metav1.TypeMeta `json:",inline" yaml:",inline"`
	metav1.ListMeta `json:"metadata" yaml:"metadata"`
	Items           []ClusterPolicy `json:"items" yaml:"items"`
}

ClusterPolicyList is a list of ClusterPolicy instances.

func (*ClusterPolicyList) DeepCopy 

func (in *ClusterPolicyList) DeepCopy() *ClusterPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicyList.

func (*ClusterPolicyList) DeepCopyInto 

func (in *ClusterPolicyList) DeepCopyInto(out *ClusterPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterPolicyList) DeepCopyObject 

func (in *ClusterPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type Condition 

type Condition struct {
	// Key is the context entry (using JMESPath) for conditional rule evaluation.
	RawKey *apiextv1.JSON `json:"key,omitempty" yaml:"key,omitempty"`

	// Operator is the conditional operation to perform. Valid operators are:
	// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
	// GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
	// DurationLessThanOrEquals, DurationLessThan
	Operator ConditionOperator `json:"operator,omitempty" yaml:"operator,omitempty"`

	// Value is the conditional value, or set of values. The values can be fixed set
	// or can be variables declared using JMESPath.
	// +optional
	RawValue *apiextv1.JSON `json:"value,omitempty" yaml:"value,omitempty"`

	// Message is an optional display message
	Message string `json:"message,omitempty" yaml:"message,omitempty"`
}

Condition defines variable-based conditional criteria for rule execution.

func (*Condition) DeepCopy 

func (in *Condition) DeepCopy() *Condition

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.

func (*Condition) DeepCopyInto 

func (in *Condition) DeepCopyInto(out *Condition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Condition) GetKey added in v1.7.0 

func (c *Condition) GetKey() apiextensions.JSON

func (*Condition) GetValue added in v1.7.0 

func (c *Condition) GetValue() apiextensions.JSON

func (*Condition) SetKey added in v1.7.0 

func (c *Condition) SetKey(in apiextensions.JSON)

func (*Condition) SetValue added in v1.7.0 

func (c *Condition) SetValue(in apiextensions.JSON)

type ConditionOperator 

type ConditionOperator string

ConditionOperator is the operation performed on condition key and value. +kubebuilder:validation:Enum=Equals;NotEquals;In;AnyIn;AllIn;NotIn;AnyNotIn;AllNotIn;GreaterThanOrEquals;GreaterThan;LessThanOrEquals;LessThan;DurationGreaterThanOrEquals;DurationGreaterThan;DurationLessThanOrEquals;DurationLessThan

type ConfigMapReference 

type ConfigMapReference struct {
	// Name is the ConfigMap name.
	Name string `json:"name" yaml:"name"`

	// Namespace is the ConfigMap namespace.
	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
}

ConfigMapReference refers to a ConfigMap

func (*ConfigMapReference) DeepCopy 

func (in *ConfigMapReference) DeepCopy() *ConfigMapReference

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMapReference.

func (*ConfigMapReference) DeepCopyInto 

func (in *ConfigMapReference) DeepCopyInto(out *ConfigMapReference)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ContextAPICall added in v1.12.0 

type ContextAPICall struct {
	APICall `json:",inline" yaml:",inline"`

	// JMESPath is an optional JSON Match Expression that can be used to
	// transform the JSON response returned from the server. For example
	// a JMESPath of "items | length(@)" applied to the API server response
	// for the URLPath "/apis/apps/v1/deployments" will return the total count
	// of deployments across all namespaces.
	// +kubebuilder:validation:Optional
	JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
}

func (*ContextAPICall) DeepCopy added in v1.12.0 

func (in *ContextAPICall) DeepCopy() *ContextAPICall

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContextAPICall.

func (*ContextAPICall) DeepCopyInto added in v1.12.0 

func (in *ContextAPICall) DeepCopyInto(out *ContextAPICall)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ContextEntry 

type ContextEntry struct {
	// Name is the variable name.
	Name string `json:"name,omitempty" yaml:"name,omitempty"`

	// ConfigMap is the ConfigMap reference.
	ConfigMap *ConfigMapReference `json:"configMap,omitempty" yaml:"configMap,omitempty"`

	// APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
	// The data returned is stored in the context with the name for the context entry.
	APICall *ContextAPICall `json:"apiCall,omitempty" yaml:"apiCall,omitempty"`

	// ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
	// details.
	ImageRegistry *ImageRegistry `json:"imageRegistry,omitempty" yaml:"imageRegistry,omitempty"`

	// Variable defines an arbitrary JMESPath context variable that can be defined inline.
	Variable *Variable `json:"variable,omitempty" yaml:"variable,omitempty"`

	// GlobalContextEntryReference is a reference to a cached global context entry.
	// +kubebuilder:validation:Required
	GlobalReference *GlobalContextEntryReference `json:"globalReference,omitempty" yaml:"globalReference,omitempty"`
}

ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided.

func (*ContextEntry) DeepCopy 

func (in *ContextEntry) DeepCopy() *ContextEntry

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContextEntry.

func (*ContextEntry) DeepCopyInto 

func (in *ContextEntry) DeepCopyInto(out *ContextEntry)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Deny 

type Deny struct {
	// Multiple conditions can be declared under an `any` or `all` statement. A direct list
	// of conditions (without `any` or `all` statements) is also supported for backwards compatibility
	// but will be deprecated in the next major release.
	// See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
	RawAnyAllConditions *apiextv1.JSON `json:"conditions,omitempty" yaml:"conditions,omitempty"`
}

Deny specifies a list of conditions used to pass or fail a validation rule.

func (*Deny) DeepCopy 

func (in *Deny) DeepCopy() *Deny

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Deny.

func (*Deny) DeepCopyInto 

func (in *Deny) DeepCopyInto(out *Deny)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Deny) GetAnyAllConditions added in v1.7.0 

func (d *Deny) GetAnyAllConditions() apiextensions.JSON

func (*Deny) SetAnyAllConditions added in v1.7.0 

func (d *Deny) SetAnyAllConditions(in apiextensions.JSON)

type DryRunOption added in v1.8.0 

type DryRunOption struct {
	Enable    bool   `json:"enable,omitempty" yaml:"enable,omitempty"`
	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
}

DryRunOption is a configuration for dryrun. If enable is set to "true", manifest verification performs "dryrun & compare" which provides robust matching against changes by defaults and other admission controllers. Dryrun requires additional permissions. See config/dryrun/dryrun_rbac.yaml

func (*DryRunOption) DeepCopy added in v1.8.0 

func (in *DryRunOption) DeepCopy() *DryRunOption

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DryRunOption.

func (*DryRunOption) DeepCopyInto added in v1.8.0 

func (in *DryRunOption) DeepCopyInto(out *DryRunOption)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type FailurePolicyType 

type FailurePolicyType string

FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled. +kubebuilder:validation:Enum=Ignore;Fail 

const (
	// Ignore means that an error calling the webhook is ignored.
	Ignore FailurePolicyType = "Ignore"
	// Fail means that an error calling the webhook causes the admission to fail.
	Fail FailurePolicyType = "Fail"
)

type ForEachMutation 

type ForEachMutation struct {
	// List specifies a JMESPath expression that results in one or more elements
	// to which the validation logic is applied.
	List string `json:"list,omitempty" yaml:"list,omitempty"`

	// Order defines the iteration order on the list.
	// Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
	// +optional
	Order *ForeachOrder `json:"order,omitempty" yaml:"order,omitempty"`

	// Context defines variables and data sources that can be used during rule execution.
	// +optional
	Context []ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`

	// AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
	// set of conditions. The declaration can contain nested `any` or `all` statements.
	// See: https://kyverno.io/docs/writing-policies/preconditions/
	// +kubebuilder:validation:XPreserveUnknownFields
	// +optional
	AnyAllConditions *AnyAllConditions `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`

	// PatchStrategicMerge is a strategic merge patch used to modify resources.
	// See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
	// and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
	// +optional
	RawPatchStrategicMerge *apiextv1.JSON `json:"patchStrategicMerge,omitempty" yaml:"patchStrategicMerge,omitempty"`

	// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
	// See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
	// +optional
	PatchesJSON6902 string `json:"patchesJson6902,omitempty" yaml:"patchesJson6902,omitempty"`

	// Foreach declares a nested foreach iterator
	// +optional
	ForEachMutation *apiextv1.JSON `json:"foreach,omitempty" yaml:"foreach,omitempty"`
}

ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.

func (*ForEachMutation) DeepCopy 

func (in *ForEachMutation) DeepCopy() *ForEachMutation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ForEachMutation.

func (*ForEachMutation) DeepCopyInto 

func (in *ForEachMutation) DeepCopyInto(out *ForEachMutation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ForEachMutation) GetPatchStrategicMerge added in v1.7.0 

func (m *ForEachMutation) GetPatchStrategicMerge() apiextensions.JSON

func (*ForEachMutation) SetPatchStrategicMerge added in v1.7.0 

func (m *ForEachMutation) SetPatchStrategicMerge(in apiextensions.JSON)

type ForEachValidation 

type ForEachValidation struct {
	// List specifies a JMESPath expression that results in one or more elements
	// to which the validation logic is applied.
	List string `json:"list,omitempty" yaml:"list,omitempty"`

	// ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
	// When set to "false", "request.object" is used as the validation scope within the foreach
	// block to allow referencing other elements in the subtree.
	// +optional
	ElementScope *bool `json:"elementScope,omitempty" yaml:"elementScope,omitempty"`

	// Context defines variables and data sources that can be used during rule execution.
	// +optional
	Context []ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`

	// AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
	// set of conditions. The declaration can contain nested `any` or `all` statements.
	// See: https://kyverno.io/docs/writing-policies/preconditions/
	// +kubebuilder:validation:XPreserveUnknownFields
	// +optional
	AnyAllConditions *AnyAllConditions `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`

	// Pattern specifies an overlay-style pattern used to check resources.
	// +optional
	RawPattern *apiextv1.JSON `json:"pattern,omitempty" yaml:"pattern,omitempty"`

	// AnyPattern specifies list of validation patterns. At least one of the patterns
	// must be satisfied for the validation rule to succeed.
	// +optional
	RawAnyPattern *apiextv1.JSON `json:"anyPattern,omitempty" yaml:"anyPattern,omitempty"`

	// Deny defines conditions used to pass or fail a validation rule.
	// +optional
	Deny *Deny `json:"deny,omitempty" yaml:"deny,omitempty"`

	// Foreach declares a nested foreach iterator
	// +optional
	ForEachValidation *apiextv1.JSON `json:"foreach,omitempty" yaml:"foreach,omitempty"`
}

ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.

func (*ForEachValidation) DeepCopy 

func (in *ForEachValidation) DeepCopy() *ForEachValidation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ForEachValidation.

func (*ForEachValidation) DeepCopyInto 

func (in *ForEachValidation) DeepCopyInto(out *ForEachValidation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ForEachValidation) GetAnyPattern added in v1.7.0 

func (v *ForEachValidation) GetAnyPattern() apiextensions.JSON

func (*ForEachValidation) GetPattern added in v1.7.0 

func (v *ForEachValidation) GetPattern() apiextensions.JSON

func (*ForEachValidation) SetAnyPattern added in v1.7.0 

func (v *ForEachValidation) SetAnyPattern(in apiextensions.JSON)

func (*ForEachValidation) SetPattern added in v1.7.0 

func (v *ForEachValidation) SetPattern(in apiextensions.JSON)

type ForeachOrder added in v1.10.0 

type ForeachOrder string

ForeachOrder specifies the iteration order in foreach statements. +kubebuilder:validation:Enum=Ascending;Descending 

const (
	// Ascending means iterating from first to last element.
	Ascending ForeachOrder = "Ascending"
	// Descending means iterating from last to first element.
	Descending ForeachOrder = "Descending"
)

type GenerateType added in v1.10.0 

type GenerateType string
const (
	Data  GenerateType = "Data"
	Clone GenerateType = "Clone"
)

type Generation 

type Generation struct {
	// ResourceSpec contains information to select the resource.
	ResourceSpec `json:",omitempty" yaml:",omitempty"`

	// Synchronize controls if generated resources should be kept in-sync with their source resource.
	// If Synchronize is set to "true" changes to generated resources will be overwritten with resource
	// data from Data or the resource specified in the Clone declaration.
	// Optional. Defaults to "false" if not specified.
	// +optional
	Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"`

	// OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
	// them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
	// See https://kyverno.io/docs/writing-policies/generate/#data-examples.
	// Defaults to "false" if not specified.
	// +optional
	OrphanDownstreamOnPolicyDelete bool `json:"orphanDownstreamOnPolicyDelete,omitempty" yaml:"orphanDownstreamOnPolicyDelete,omitempty"`

	// Data provides the resource declaration used to populate each generated resource.
	// At most one of Data or Clone must be specified. If neither are provided, the generated
	// resource will be created with default data only.
	// +optional
	RawData *apiextv1.JSON `json:"data,omitempty" yaml:"data,omitempty"`

	// Clone specifies the source resource used to populate each generated resource.
	// At most one of Data or Clone can be specified. If neither are provided, the generated
	// resource will be created with default data only.
	// +optional
	Clone CloneFrom `json:"clone,omitempty" yaml:"clone,omitempty"`

	// CloneList specifies the list of source resource used to populate each generated resource.
	// +optional
	CloneList CloneList `json:"cloneList,omitempty" yaml:"cloneList,omitempty"`
}

Generation defines how new resources should be created and managed.

func (*Generation) DeepCopy 

func (in *Generation) DeepCopy() *Generation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Generation.

func (*Generation) DeepCopyInto 

func (in *Generation) DeepCopyInto(out *Generation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Generation) GetData added in v1.7.0 

func (g *Generation) GetData() apiextensions.JSON

func (*Generation) GetTypeAndSyncAndOrphanDownstream added in v1.12.0 

func (g *Generation) GetTypeAndSyncAndOrphanDownstream() (GenerateType, bool, bool)

func (*Generation) SetData added in v1.7.0 

func (g *Generation) SetData(in apiextensions.JSON)

func (*Generation) Validate added in v1.10.0 

func (g *Generation) Validate(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList)

func (*Generation) ValidateCloneList added in v1.10.2 

func (g *Generation) ValidateCloneList(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList)

type GlobalContextEntryReference added in v1.12.0 

type GlobalContextEntryReference struct {
	// Name of the global context entry
	// +kubebuilder:validation:Required
	Name string `json:"name,omitempty" yaml:"name,omitempty"`

	// JMESPath is an optional JSON Match Expression that can be used to
	// transform the JSON response returned from the server. For example
	// a JMESPath of "items | length(@)" applied to the API server response
	// for the URLPath "/apis/apps/v1/deployments" will return the total count
	// of deployments across all namespaces.
	// +kubebuilder:validation:Optional
	JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
}

func (*GlobalContextEntryReference) DeepCopy added in v1.12.0 

func (in *GlobalContextEntryReference) DeepCopy() *GlobalContextEntryReference

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalContextEntryReference.

func (*GlobalContextEntryReference) DeepCopyInto added in v1.12.0 

func (in *GlobalContextEntryReference) DeepCopyInto(out *GlobalContextEntryReference)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IgnoreFieldList added in v1.8.0 

type IgnoreFieldList []ObjectFieldBinding

func (IgnoreFieldList) DeepCopy added in v1.8.0 

func (in IgnoreFieldList) DeepCopy() IgnoreFieldList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IgnoreFieldList.

func (IgnoreFieldList) DeepCopyInto added in v1.8.0 

func (in IgnoreFieldList) DeepCopyInto(out *IgnoreFieldList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ImageExtractorConfig added in v1.7.0 

type ImageExtractorConfig struct {
	// Path is the path to the object containing the image field in a custom resource.
	// It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
	// Wildcard keys are expanded in case of arrays or objects.
	Path string `json:"path" yaml:"path"`
	// Value is an optional name of the field within 'path' that points to the image URI.
	// This is useful when a custom 'key' is also defined.
	// +optional
	Value string `json:"value,omitempty" yaml:"value,omitempty"`
	// Name is the entry the image will be available under 'images.<name>' in the context.
	// If this field is not defined, image entries will appear under 'images.custom'.
	// +optional
	Name string `json:"name,omitempty" yaml:"name,omitempty"`
	// Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
	// Note - this field MUST be unique.
	// +optional
	Key string `json:"key,omitempty" yaml:"key,omitempty"`
	// JMESPath is an optional JMESPath expression to apply to the image value.
	// This is useful when the extracted image begins with a prefix like 'docker://'.
	// The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
	// Note - Image digest mutation may not be used when applying a JMESPAth to an image.
	// +optional
	JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
}

func (*ImageExtractorConfig) DeepCopy added in v1.7.0 

func (in *ImageExtractorConfig) DeepCopy() *ImageExtractorConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageExtractorConfig.

func (*ImageExtractorConfig) DeepCopyInto added in v1.7.0 

func (in *ImageExtractorConfig) DeepCopyInto(out *ImageExtractorConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ImageExtractorConfigs added in v1.7.0 

type ImageExtractorConfigs map[string][]ImageExtractorConfig

func (ImageExtractorConfigs) DeepCopy added in v1.7.0 

func (in ImageExtractorConfigs) DeepCopy() ImageExtractorConfigs

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageExtractorConfigs.

func (ImageExtractorConfigs) DeepCopyInto added in v1.7.0 

func (in ImageExtractorConfigs) DeepCopyInto(out *ImageExtractorConfigs)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ImageRegistry 

type ImageRegistry struct {
	// Reference is image reference to a container image in the registry.
	// Example: ghcr.io/kyverno/kyverno:latest
	Reference string `json:"reference" yaml:"reference"`

	// JMESPath is an optional JSON Match Expression that can be used to
	// transform the ImageData struct returned as a result of processing
	// the image reference.
	// +optional
	JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`

	// ImageRegistryCredentials provides credentials that will be used for authentication with registry
	// +kubebuilder:validation:Optional
	ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
}

ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details.

func (*ImageRegistry) DeepCopy 

func (in *ImageRegistry) DeepCopy() *ImageRegistry

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageRegistry.

func (*ImageRegistry) DeepCopyInto 

func (in *ImageRegistry) DeepCopyInto(out *ImageRegistry)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ImageRegistryCredentials added in v1.10.5 

type ImageRegistryCredentials struct {
	// AllowInsecureRegistry allows insecure access to a registry.
	// +kubebuilder:validation:Optional
	AllowInsecureRegistry bool `json:"allowInsecureRegistry,omitempty" yaml:"allowInsecureRegistry,omitempty"`

	// Providers specifies a list of OCI Registry names, whose authentication providers are provided.
	// It can be of one of these values: default,google,azure,amazon,github.
	// +kubebuilder:validation:Optional
	Providers []ImageRegistryCredentialsProvidersType `json:"providers,omitempty" yaml:"providers,omitempty"`

	// Secrets specifies a list of secrets that are provided for credentials.
	// Secrets must live in the Kyverno namespace.
	// +kubebuilder:validation:Optional
	Secrets []string `json:"secrets,omitempty" yaml:"secrets,omitempty"`
}

func (*ImageRegistryCredentials) DeepCopy added in v1.10.5 

func (in *ImageRegistryCredentials) DeepCopy() *ImageRegistryCredentials

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageRegistryCredentials.

func (*ImageRegistryCredentials) DeepCopyInto added in v1.10.5 

func (in *ImageRegistryCredentials) DeepCopyInto(out *ImageRegistryCredentials)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ImageRegistryCredentialsProvidersType added in v1.10.5 

type ImageRegistryCredentialsProvidersType string

ImageRegistryCredentialsProvidersType provides the list of credential providers required. +kubebuilder:validation:Enum=default;amazon;azure;google;github

type ImageVerification 

type ImageVerification struct {
	// Type specifies the method of signature validation. The allowed options
	// are Cosign and Notary. By default Cosign is used if a type is not specified.
	// +kubebuilder:validation:Optional
	Type ImageVerificationType `json:"type,omitempty" yaml:"type,omitempty"`

	// Deprecated. Use ImageReferences instead.
	// +kubebuilder:validation:Optional
	Image string `json:"image,omitempty" yaml:"image,omitempty"`

	// ImageReferences is a list of matching image reference patterns. At least one pattern in the
	// list must match the image for the rule to apply. Each image reference consists of a registry
	// address (defaults to docker.io), repository, image, and tag (defaults to latest).
	// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
	// +kubebuilder:validation:Optional
	ImageReferences []string `json:"imageReferences,omitempty" yaml:"imageReferences,omitempty"`

	// SkipImageReferences is a list of matching image reference patterns that should be skipped.
	// At least one pattern in the list must match the image for the rule to be skipped. Each image reference
	// consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
	// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
	// +kubebuilder:validation:Optional
	SkipImageReferences []string `json:"skipImageReferences,omitempty" yaml:"skipImageReferences,omitempty"`

	// Deprecated. Use StaticKeyAttestor instead.
	Key string `json:"key,omitempty" yaml:"key,omitempty"`

	// Deprecated. Use KeylessAttestor instead.
	Roots string `json:"roots,omitempty" yaml:"roots,omitempty"`

	// Deprecated. Use KeylessAttestor instead.
	Subject string `json:"subject,omitempty" yaml:"subject,omitempty"`

	// Deprecated. Use KeylessAttestor instead.
	Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"`

	// Deprecated.
	AdditionalExtensions map[string]string `json:"additionalExtensions,omitempty" yaml:"additionalExtensions,omitempty"`

	// Attestors specified the required attestors (i.e. authorities)
	// +kubebuilder:validation:Optional
	Attestors []AttestorSet `json:"attestors,omitempty" yaml:"attestors,omitempty"`

	// Attestations are optional checks for signed in-toto Statements used to verify the image.
	// See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
	// OCI registry and decodes them into a list of Statement declarations.
	Attestations []Attestation `json:"attestations,omitempty" yaml:"attestations,omitempty"`

	// Deprecated. Use annotations per Attestor instead.
	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`

	// Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
	// If specified Repository will override the default OCI image repository configured for the installation.
	// The repository can also be overridden per Attestor or Attestation.
	Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`

	// MutateDigest enables replacement of image tags with digests.
	// Defaults to true.
	// +kubebuilder:default=true
	// +kubebuilder:validation:Optional
	MutateDigest bool `json:"mutateDigest" yaml:"mutateDigest"`

	// VerifyDigest validates that images have a digest.
	// +kubebuilder:default=true
	// +kubebuilder:validation:Optional
	VerifyDigest bool `json:"verifyDigest" yaml:"verifyDigest"`

	// Required validates that images are verified i.e. have matched passed a signature or attestation check.
	// +kubebuilder:default=true
	// +kubebuilder:validation:Optional
	Required bool `json:"required" yaml:"required"`

	// ImageRegistryCredentials provides credentials that will be used for authentication with registry.
	// +kubebuilder:validation:Optional
	ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`

	// UseCache enables caching of image verify responses for this rule.
	// +kubebuilder:default=true
	// +kubebuilder:validation:Optional
	UseCache bool `json:"useCache" yaml:"useCache"`
}

ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration.

func (*ImageVerification) Convert added in v1.7.0 

func (iv *ImageVerification) Convert() *ImageVerification

func (*ImageVerification) DeepCopy 

func (in *ImageVerification) DeepCopy() *ImageVerification

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageVerification.

func (*ImageVerification) DeepCopyInto 

func (in *ImageVerification) DeepCopyInto(out *ImageVerification)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ImageVerification) GetType added in v1.10.0 

func (iv *ImageVerification) GetType() ImageVerificationType

func (*ImageVerification) Validate added in v1.7.0 

func (iv *ImageVerification) Validate(isAuditFailureAction bool, path *field.Path) (errs field.ErrorList)

Validate implements programmatic validation

type ImageVerificationType added in v1.10.0 

type ImageVerificationType string

ImageVerificationType selects the type of verification algorithm +kubebuilder:validation:Enum=Cosign;Notary +kubebuilder:default=Cosign

type KeylessAttestor added in v1.7.0 

type KeylessAttestor struct {
	// Rekor provides configuration for the Rekor transparency log service. If an empty object
	// is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
	// +kubebuilder:validation:Optional
	Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`

	// CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
	// Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
	// +kubebuilder:validation:Optional
	CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`

	// Issuer is the certificate issuer used for keyless signing.
	// +kubebuilder:validation:Optional
	Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"`

	// Subject is the verified identity used for keyless signing, for example the email address.
	// +kubebuilder:validation:Optional
	Subject string `json:"subject,omitempty" yaml:"subject,omitempty"`

	// Roots is an optional set of PEM encoded trusted root certificates.
	// If not provided, the system roots are used.
	// +kubebuilder:validation:Optional
	Roots string `json:"roots,omitempty" yaml:"roots,omitempty"`

	// AdditionalExtensions are certificate-extensions used for keyless signing.
	// +kubebuilder:validation:Optional
	AdditionalExtensions map[string]string `json:"additionalExtensions,omitempty" yaml:"additionalExtensions,omitempty"`
}

func (*KeylessAttestor) DeepCopy added in v1.7.0 

func (in *KeylessAttestor) DeepCopy() *KeylessAttestor

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeylessAttestor.

func (*KeylessAttestor) DeepCopyInto added in v1.7.0 

func (in *KeylessAttestor) DeepCopyInto(out *KeylessAttestor)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*KeylessAttestor) Validate added in v1.7.0 

func (ka *KeylessAttestor) Validate(path *field.Path) (errs field.ErrorList)

type Manifests added in v1.8.0 

type Manifests struct {
	// Attestors specified the required attestors (i.e. authorities)
	// +kubebuilder:validation:Optional
	Attestors []AttestorSet `json:"attestors,omitempty" yaml:"attestors,omitempty"`

	// AnnotationDomain is custom domain of annotation for message and signature. Default is "cosign.sigstore.dev".
	// +optional
	AnnotationDomain string `json:"annotationDomain,omitempty" yaml:"annotationDomain,omitempty"`

	// Fields which will be ignored while comparing manifests.
	// +optional
	IgnoreFields IgnoreFieldList `json:"ignoreFields,omitempty" yaml:"ignoreFields,omitempty"`

	// DryRun configuration
	// +optional
	DryRunOption DryRunOption `json:"dryRun,omitempty" yaml:"dryRun,omitempty"`

	// Repository is an optional alternate OCI repository to use for resource bundle reference.
	// The repository can be overridden per Attestor or Attestation.
	Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`
}

func (*Manifests) DeepCopy added in v1.8.0 

func (in *Manifests) DeepCopy() *Manifests

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Manifests.

func (*Manifests) DeepCopyInto added in v1.8.0 

func (in *Manifests) DeepCopyInto(out *Manifests)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type MatchResources 

type MatchResources struct {
	// Any allows specifying resources which will be ORed
	// +optional
	Any ResourceFilters `json:"any,omitempty" yaml:"any,omitempty"`

	// All allows specifying resources which will be ANDed
	// +optional
	All ResourceFilters `json:"all,omitempty" yaml:"all,omitempty"`

	// UserInfo contains information about the user performing the operation.
	// Specifying UserInfo directly under match is being deprecated.
	// Please specify under "any" or "all" instead.
	// +optional
	UserInfo `json:",omitempty" yaml:",omitempty"`

	// ResourceDescription contains information about the resource being created or modified.
	// Requires at least one tag to be specified when under MatchResources.
	// Specifying ResourceDescription directly under match is being deprecated.
	// Please specify under "any" or "all" instead.
	// +optional
	ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"`
}

MatchResources is used to specify resource and admission review request data for which a policy rule is applicable.

func (*MatchResources) DeepCopy 

func (in *MatchResources) DeepCopy() *MatchResources

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResources.

func (*MatchResources) DeepCopyInto 

func (in *MatchResources) DeepCopyInto(out *MatchResources)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*MatchResources) GetKinds added in v1.7.0 

func (m *MatchResources) GetKinds() []string

GetKinds returns all kinds

func (*MatchResources) Validate added in v1.7.0 

func (m *MatchResources) Validate(path *field.Path, namespaced bool, clusterResources sets.Set[string]) (errs field.ErrorList)

Validate implements programmatic validation

type Method added in v1.10.0 

type Method string

Method is a HTTP request type. +kubebuilder:validation:Enum=GET;POST

type Mutation 

type Mutation struct {
	// Targets defines the target resources to be mutated.
	// +optional
	Targets []TargetResourceSpec `json:"targets,omitempty" yaml:"targets,omitempty"`

	// PatchStrategicMerge is a strategic merge patch used to modify resources.
	// See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
	// and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
	// +optional
	RawPatchStrategicMerge *apiextv1.JSON `json:"patchStrategicMerge,omitempty" yaml:"patchStrategicMerge,omitempty"`

	// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
	// See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
	// +optional
	PatchesJSON6902 string `json:"patchesJson6902,omitempty" yaml:"patchesJson6902,omitempty"`

	// ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.
	// +optional
	ForEachMutation []ForEachMutation `json:"foreach,omitempty" yaml:"foreach,omitempty"`
}

Mutation defines how resource are modified.

func (*Mutation) DeepCopy 

func (in *Mutation) DeepCopy() *Mutation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Mutation.

func (*Mutation) DeepCopyInto 

func (in *Mutation) DeepCopyInto(out *Mutation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Mutation) GetPatchStrategicMerge added in v1.7.0 

func (m *Mutation) GetPatchStrategicMerge() apiextensions.JSON

func (*Mutation) SetPatchStrategicMerge added in v1.7.0 

func (m *Mutation) SetPatchStrategicMerge(in apiextensions.JSON)

type ObjectFieldBinding added in v1.8.0 

type ObjectFieldBinding k8smanifest.ObjectFieldBinding

func (*ObjectFieldBinding) DeepCopy added in v1.8.0 

func (in *ObjectFieldBinding) DeepCopy() *ObjectFieldBinding

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectFieldBinding.

func (*ObjectFieldBinding) DeepCopyInto added in v1.8.0 

func (in *ObjectFieldBinding) DeepCopyInto(out *ObjectFieldBinding)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PodSecurity added in v1.8.0 

type PodSecurity struct {
	// Level defines the Pod Security Standard level to be applied to workloads.
	// Allowed values are privileged, baseline, and restricted.
	// +kubebuilder:validation:Enum=privileged;baseline;restricted
	Level api.Level `json:"level,omitempty" yaml:"level,omitempty"`

	// Version defines the Pod Security Standard versions that Kubernetes supports.
	// Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
	// +kubebuilder:validation:Enum=v1.19;v1.20;v1.21;v1.22;v1.23;v1.24;v1.25;v1.26;v1.27;v1.28;v1.29;latest
	// +optional
	Version string `json:"version,omitempty" yaml:"version,omitempty"`

	// Exclude specifies the Pod Security Standard controls to be excluded.
	Exclude []PodSecurityStandard `json:"exclude,omitempty" yaml:"exclude,omitempty"`
}

PodSecurity applies exemptions for Kubernetes Pod Security admission by specifying exclusions for Pod Security Standards controls.

func (*PodSecurity) DeepCopy added in v1.8.0 

func (in *PodSecurity) DeepCopy() *PodSecurity

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurity.

func (*PodSecurity) DeepCopyInto added in v1.8.0 

func (in *PodSecurity) DeepCopyInto(out *PodSecurity)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PodSecurityStandard added in v1.8.0 

type PodSecurityStandard struct {
	// ControlName specifies the name of the Pod Security Standard control.
	// See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
	// +kubebuilder:validation:Enum=HostProcess;Host Namespaces;Privileged Containers;Capabilities;HostPath Volumes;Host Ports;AppArmor;SELinux;/proc Mount Type;Seccomp;Sysctls;Volume Types;Privilege Escalation;Running as Non-root;Running as Non-root user
	ControlName string `json:"controlName" yaml:"controlName"`

	// Images selects matching containers and applies the container level PSS.
	// Each image is the image name consisting of the registry address, repository, image, and tag.
	// Empty list matches no containers, PSS checks are applied at the pod level only.
	// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
	// +optional
	Images []string `json:"images,omitempty" yaml:"images,omitempty"`

	// RestrictedField selects the field for the given Pod Security Standard control.
	// When not set, all restricted fields for the control are selected.
	// +optional
	RestrictedField string `json:"restrictedField,omitempty" yaml:"restrictedField,omitempty"`

	// Values defines the allowed values that can be excluded.
	// +optional
	Values []string `json:"values,omitempty" yaml:"values,omitempty"`
}

PodSecurityStandard specifies the Pod Security Standard controls to be excluded.

func (*PodSecurityStandard) DeepCopy added in v1.8.0 

func (in *PodSecurityStandard) DeepCopy() *PodSecurityStandard

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityStandard.

func (*PodSecurityStandard) DeepCopyInto added in v1.8.0 

func (in *PodSecurityStandard) DeepCopyInto(out *PodSecurityStandard)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PodSecurityStandard) Validate added in v1.12.0 

func (pss *PodSecurityStandard) Validate(path *field.Path) (errs field.ErrorList)

type Policy 

type Policy struct {
	metav1.TypeMeta   `json:",inline,omitempty" yaml:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`

	// Spec defines policy behaviors and contains one or more rules.
	Spec Spec `json:"spec" yaml:"spec"`

	// +optional
	// Deprecated. Policy metrics are available via the metrics endpoint
	Status PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
}

Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.

func (*Policy) AdmissionProcessingEnabled added in v1.10.5 

func (p *Policy) AdmissionProcessingEnabled() bool

AdmissionProcessingEnabled checks if admission is set to true

func (*Policy) BackgroundProcessingEnabled added in v1.7.0 

func (p *Policy) BackgroundProcessingEnabled() bool

BackgroundProcessingEnabled checks if background is set to true

func (*Policy) CreateDeepCopy added in v1.7.0 

func (p *Policy) CreateDeepCopy() PolicyInterface

func (*Policy) DeepCopy 

func (in *Policy) DeepCopy() *Policy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.

func (*Policy) DeepCopyInto 

func (in *Policy) DeepCopyInto(out *Policy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Policy) DeepCopyObject 

func (in *Policy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*Policy) GetKind added in v1.7.0 

func (p *Policy) GetKind() string

func (*Policy) GetSpec added in v1.7.0 

func (p *Policy) GetSpec() *Spec

GetSpec returns the policy spec

func (*Policy) GetStatus added in v1.8.1 

func (p *Policy) GetStatus() *PolicyStatus

GetStatus returns the policy status

func (*Policy) HasAutoGenAnnotation added in v1.7.0 

func (p *Policy) HasAutoGenAnnotation() bool

HasAutoGenAnnotation checks if a policy has auto-gen annotation

func (*Policy) HasGenerate added in v1.7.0 

func (p *Policy) HasGenerate() bool

HasGenerate checks for generate rule types

func (*Policy) HasMutate added in v1.7.0 

func (p *Policy) HasMutate() bool

HasMutate checks for mutate rule types

func (*Policy) HasMutateOrValidateOrGenerate added in v1.7.0 

func (p *Policy) HasMutateOrValidateOrGenerate() bool

HasMutateOrValidateOrGenerate checks for rule types

func (*Policy) HasValidate added in v1.7.0 

func (p *Policy) HasValidate() bool

HasValidate checks for validate rule types

func (*Policy) HasVerifyImages added in v1.7.0 

func (p *Policy) HasVerifyImages() bool

HasVerifyImages checks for image verification rule types

func (*Policy) IsNamespaced added in v1.7.0 

func (p *Policy) IsNamespaced() bool

IsNamespaced indicates if the policy is namespace scoped

func (*Policy) IsReady added in v1.7.0 

func (p *Policy) IsReady() bool

IsReady indicates if the policy is ready to serve the admission request

func (*Policy) Validate added in v1.7.0 

func (p *Policy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList)

Validate implements programmatic validation. namespaced means that the policy is bound to a namespace and therefore should not filter/generate cluster wide resources.

type PolicyInterface added in v1.7.0 

type PolicyInterface interface {
	metav1.Object
	AdmissionProcessingEnabled() bool
	BackgroundProcessingEnabled() bool
	IsNamespaced() bool
	GetSpec() *Spec
	GetStatus() *PolicyStatus
	Validate(sets.Set[string]) field.ErrorList
	GetKind() string
	CreateDeepCopy() PolicyInterface
	IsReady() bool
}

PolicyInterface abstracts the concrete policy type (Policy vs ClusterPolicy) +kubebuilder:object:generate=false

type PolicyList 

type PolicyList struct {
	metav1.TypeMeta `json:",inline" yaml:",inline"`
	metav1.ListMeta `json:"metadata" yaml:"metadata"`
	Items           []Policy `json:"items" yaml:"items"`
}

PolicyList is a list of Policy instances.

func (*PolicyList) DeepCopy 

func (in *PolicyList) DeepCopy() *PolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyList.

func (*PolicyList) DeepCopyInto 

func (in *PolicyList) DeepCopyInto(out *PolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyList) DeepCopyObject 

func (in *PolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PolicyStatus 

type PolicyStatus struct {
	// Deprecated in favor of Conditions
	Ready bool `json:"ready" yaml:"ready"`
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
	// +optional
	Autogen AutogenStatus `json:"autogen" yaml:"autogen"`
	// +optional
	RuleCount RuleCountStatus `json:"rulecount" yaml:"rulecount"`
	// ValidatingAdmissionPolicy contains status information
	// +optional
	ValidatingAdmissionPolicy ValidatingAdmissionPolicyStatus `json:"validatingadmissionpolicy" yaml:"validatingadmissionpolicy"`
}

Deprecated. Policy metrics are now available via the "/metrics" endpoint. See: https://kyverno.io/docs/monitoring-kyverno-with-prometheus-metrics/

func (*PolicyStatus) DeepCopy 

func (in *PolicyStatus) DeepCopy() *PolicyStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyStatus.

func (*PolicyStatus) DeepCopyInto 

func (in *PolicyStatus) DeepCopyInto(out *PolicyStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyStatus) IsReady added in v1.7.0 

func (status *PolicyStatus) IsReady() bool

IsReady indicates if the policy is ready to serve the admission request

func (*PolicyStatus) SetReady added in v1.7.0 

func (status *PolicyStatus) SetReady(ready bool, message string)

type Rekor added in v1.10.5 

type Rekor struct {
	// URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
	// +kubebuilder:validation:Optional
	// +kubebuilder:Default:=https://rekor.sigstore.dev
	URL string `json:"url" yaml:"url"`

	// RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
	// If set, this will be used to validate transparency log signatures from a custom Rekor.
	// +kubebuilder:validation:Optional
	RekorPubKey string `json:"pubkey,omitempty" yaml:"pubkey,omitempty"`

	// IgnoreTlog skips transparency log verification.
	// +kubebuilder:validation:Optional
	IgnoreTlog bool `json:"ignoreTlog,omitempty" yaml:"ignoreTlog,omitempty"`
}

func (*Rekor) DeepCopy added in v1.10.5 

func (in *Rekor) DeepCopy() *Rekor

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rekor.

func (*Rekor) DeepCopyInto added in v1.10.5 

func (in *Rekor) DeepCopyInto(out *Rekor)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RequestData added in v1.10.0 

type RequestData struct {
	// Key is a unique identifier for the data value
	Key string `json:"key" yaml:"key"`

	// Value is the data value
	Value *apiextv1.JSON `json:"value" yaml:"value"`
}

RequestData contains the HTTP POST data

func (*RequestData) DeepCopy added in v1.10.0 

func (in *RequestData) DeepCopy() *RequestData

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestData.

func (*RequestData) DeepCopyInto added in v1.10.0 

func (in *RequestData) DeepCopyInto(out *RequestData)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ResourceDescription 

type ResourceDescription struct {
	// Kinds is a list of resource kinds.
	// +optional
	Kinds []string `json:"kinds,omitempty" yaml:"kinds,omitempty"`

	// Name is the name of the resource. The name supports wildcard characters
	// "*" (matches zero or many characters) and "?" (at least one character).
	// NOTE: "Name" is being deprecated in favor of "Names".
	// +optional
	Name string `json:"name,omitempty" yaml:"name,omitempty"`

	// Names are the names of the resources. Each name supports wildcard characters
	// "*" (matches zero or many characters) and "?" (at least one character).
	// +optional
	Names []string `json:"names,omitempty" yaml:"names,omitempty"`

	// Namespaces is a list of namespaces names. Each name supports wildcard characters
	// "*" (matches zero or many characters) and "?" (at least one character).
	// +optional
	Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"`

	// Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
	// and values support the wildcard characters "*" (matches zero or many characters) and
	// "?" (matches at least one character).
	// +optional
	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`

	// Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
	// characters `*` (matches zero or many characters) and `?` (matches one character).
	// Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
	// using ["*" : "*"] matches any key and value but does not match an empty label set.
	// +optional
	Selector *metav1.LabelSelector `json:"selector,omitempty" yaml:"selector,omitempty"`

	// NamespaceSelector is a label selector for the resource namespace. Label keys and values
	// in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
	// and `?` (matches one character).Wildcards allows writing label selectors like
	// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
	// does not match an empty label set.
	// +optional
	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" yaml:"namespaceSelector,omitempty"`

	// Operations can contain values ["CREATE, "UPDATE", "CONNECT", "DELETE"], which are used to match a specific action.
	// +optional
	Operations []AdmissionOperation `json:"operations,omitempty" yaml:"operations,omitempty"`
}

ResourceDescription contains criteria used to match resources.

func (*ResourceDescription) DeepCopy 

func (in *ResourceDescription) DeepCopy() *ResourceDescription

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceDescription.

func (*ResourceDescription) DeepCopyInto 

func (in *ResourceDescription) DeepCopyInto(out *ResourceDescription)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (ResourceDescription) GetOperations added in v1.10.0 

func (r ResourceDescription) GetOperations() []string

func (ResourceDescription) IsEmpty added in v1.9.0 

func (r ResourceDescription) IsEmpty() bool

func (*ResourceDescription) Validate added in v1.7.0 

func (r *ResourceDescription) Validate(path *field.Path, namespaced bool, clusterResources sets.Set[string]) (errs field.ErrorList)

Validate implements programmatic validation

type ResourceFilter 

type ResourceFilter struct {
	// UserInfo contains information about the user performing the operation.
	// +optional
	UserInfo `json:",omitempty" yaml:",omitempty"`

	// ResourceDescription contains information about the resource being created or modified.
	ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"`
}

ResourceFilter allow users to "AND" or "OR" between resources

func (*ResourceFilter) DeepCopy 

func (in *ResourceFilter) DeepCopy() *ResourceFilter

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceFilter.

func (*ResourceFilter) DeepCopyInto 

func (in *ResourceFilter) DeepCopyInto(out *ResourceFilter)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (ResourceFilter) IsEmpty added in v1.9.0 

func (r ResourceFilter) IsEmpty() bool

type ResourceFilters 

type ResourceFilters []ResourceFilter

ResourceFilters is a slice of ResourceFilter

func (ResourceFilters) DeepCopy 

func (in ResourceFilters) DeepCopy() ResourceFilters

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceFilters.

func (ResourceFilters) DeepCopyInto 

func (in ResourceFilters) DeepCopyInto(out *ResourceFilters)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ResourceSpec 

type ResourceSpec struct {
	// APIVersion specifies resource apiVersion.
	// +optional
	APIVersion string `json:"apiVersion,omitempty" yaml:"apiVersion,omitempty"`
	// Kind specifies resource kind.
	Kind string `json:"kind,omitempty" yaml:"kind,omitempty"`
	// Namespace specifies resource namespace.
	// +optional
	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
	// Name specifies the resource name.
	// +optional
	Name string `json:"name,omitempty" yaml:"name,omitempty"`
	// UID specifies the resource uid.
	// +optional
	UID types.UID `json:"uid,omitempty" yaml:"uid,omitempty"`
}

func (*ResourceSpec) DeepCopy 

func (in *ResourceSpec) DeepCopy() *ResourceSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceSpec.

func (*ResourceSpec) DeepCopyInto 

func (in *ResourceSpec) DeepCopyInto(out *ResourceSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (ResourceSpec) GetAPIVersion added in v1.7.0 

func (s ResourceSpec) GetAPIVersion() string

func (ResourceSpec) GetGroupVersion added in v1.10.1 

func (s ResourceSpec) GetGroupVersion() (schema.GroupVersion, error)

func (ResourceSpec) GetKind added in v1.7.0 

func (s ResourceSpec) GetKind() string

func (ResourceSpec) GetName added in v1.7.0 

func (s ResourceSpec) GetName() string

func (ResourceSpec) GetNamespace added in v1.7.0 

func (s ResourceSpec) GetNamespace() string

func (ResourceSpec) GetUID added in v1.11.0 

func (s ResourceSpec) GetUID() types.UID

func (ResourceSpec) String added in v1.10.0 

func (s ResourceSpec) String() string

type Rule 

type Rule struct {
	// Name is a label to identify the rule, It must be unique within the policy.
	// +kubebuilder:validation:MaxLength=63
	Name string `json:"name" yaml:"name"`

	// Context defines variables and data sources that can be used during rule execution.
	// +optional
	Context []ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`

	// MatchResources defines when this policy rule should be applied. The match
	// criteria can include resource information (e.g. kind, name, namespace, labels)
	// and admission review request information like the user name or role.
	// At least one kind is required.
	MatchResources MatchResources `json:"match,omitempty" yaml:"match,omitempty"`

	// ExcludeResources defines when this policy rule should not be applied. The exclude
	// criteria can include resource information (e.g. kind, name, namespace, labels)
	// and admission review request information like the name or role.
	// +optional
	ExcludeResources MatchResources `json:"exclude,omitempty" yaml:"exclude,omitempty"`

	// ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
	// This config is only valid for verifyImages rules.
	// +optional
	ImageExtractors ImageExtractorConfigs `json:"imageExtractors,omitempty" yaml:"imageExtractors,omitempty"`

	// Preconditions are used to determine if a policy rule should be applied by evaluating a
	// set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
	// of conditions (without `any` or `all` statements is supported for backwards compatibility but
	// will be deprecated in the next major release.
	// See: https://kyverno.io/docs/writing-policies/preconditions/
	// +optional
	RawAnyAllConditions *apiextv1.JSON `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`

	// CELPreconditions are used to determine if a policy rule should be applied by evaluating a
	// set of CEL conditions. It can only be used with the validate.cel subrule
	// +optional
	CELPreconditions []admissionregistrationv1alpha1.MatchCondition `json:"celPreconditions,omitempty" yaml:"celPreconditions,omitempty"`

	// Mutation is used to modify matching resources.
	// +optional
	Mutation Mutation `json:"mutate,omitempty" yaml:"mutate,omitempty"`

	// Validation is used to validate matching resources.
	// +optional
	Validation Validation `json:"validate,omitempty" yaml:"validate,omitempty"`

	// Generation is used to create new resources.
	// +optional
	Generation Generation `json:"generate,omitempty" yaml:"generate,omitempty"`

	// VerifyImages is used to verify image signatures and mutate them to add a digest
	// +optional
	VerifyImages []ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`

	// SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
	// The default value is set to "true", it must be set to "false" to apply
	// generate and mutateExisting rules to those requests.
	// +kubebuilder:default=true
	// +kubebuilder:validation:Optional
	SkipBackgroundRequests bool `json:"skipBackgroundRequests,omitempty" yaml:"skipBackgroundRequests,omitempty"`
}

Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude.

func (*Rule) DeepCopy 

func (in *Rule) DeepCopy() *Rule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.

func (*Rule) DeepCopyInto 

func (in *Rule) DeepCopyInto(out *Rule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Rule) GetAnyAllConditions added in v1.7.0 

func (r *Rule) GetAnyAllConditions() apiextensions.JSON

func (*Rule) GetTypeAndSyncAndOrphanDownstream added in v1.12.0 

func (r *Rule) GetTypeAndSyncAndOrphanDownstream() (_ GenerateType, sync bool, orphanDownstream bool)

func (*Rule) HasGenerate 

func (r *Rule) HasGenerate() bool

HasGenerate checks for generate rule

func (*Rule) HasMutate 

func (r *Rule) HasMutate() bool

HasMutate checks for mutate rule

func (*Rule) HasMutateExisting added in v1.12.0 

func (r *Rule) HasMutateExisting() bool

HasMutateExisting checks if the mutate rule applies to existing resources

func (*Rule) HasMutateStandard added in v1.12.0 

func (r *Rule) HasMutateStandard() bool

HasMutateStandard checks for standard admission mutate rule

func (*Rule) HasValidate 

func (r *Rule) HasValidate() bool

HasValidate checks for validate rule

func (*Rule) HasValidateCEL added in v1.10.5 

func (r *Rule) HasValidateCEL() bool

HasValidateCEL checks for validate.cel rule

func (Rule) HasValidatePodSecurity added in v1.10.0 

func (r Rule) HasValidatePodSecurity() bool

HasValidatePodSecurity checks for validate.podSecurity rule

func (*Rule) HasVerifyImageChecks added in v1.10.0 

func (r *Rule) HasVerifyImageChecks() bool

HasVerifyImageChecks checks whether the verifyImages rule has validation checks

func (*Rule) HasVerifyImages 

func (r *Rule) HasVerifyImages() bool

HasVerifyImages checks for verifyImages rule

func (Rule) HasVerifyManifests added in v1.10.0 

func (r Rule) HasVerifyManifests() bool

HasVerifyManifests checks for validate.manifests rule

func (*Rule) IsPodSecurity added in v1.8.0 

func (r *Rule) IsPodSecurity() bool

func (*Rule) SetAnyAllConditions added in v1.7.0 

func (r *Rule) SetAnyAllConditions(in apiextensions.JSON)

func (*Rule) Validate added in v1.7.0 

func (r *Rule) Validate(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList)

Validate implements programmatic validation

func (*Rule) ValidateGenerate added in v1.10.0 

func (r *Rule) ValidateGenerate(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList)

func (*Rule) ValidateMatchExcludeConflict added in v1.7.0 

func (r *Rule) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorList)

ValidateMatchExcludeConflict checks if the resultant of match and exclude block is not an empty set

func (*Rule) ValidateMutationRuleTargetNamespace added in v1.8.0 

func (r *Rule) ValidateMutationRuleTargetNamespace(path *field.Path, namespaced bool, policyNamespace string) (errs field.ErrorList)

ValidateMutationRuleTargetNamespace checks if the targets are scoped to the policy's namespace

func (*Rule) ValidatePSaControlNames added in v1.8.0 

func (r *Rule) ValidatePSaControlNames(path *field.Path) (errs field.ErrorList)

func (*Rule) ValidateRuleType added in v1.7.0 

func (r *Rule) ValidateRuleType(path *field.Path) (errs field.ErrorList)

ValidateRuleType checks only one type of rule is defined per rule

type RuleCountStatus added in v1.9.0 

type RuleCountStatus struct {
	// Count for validate rules in policy
	Validate int `json:"validate" yaml:"validate"`
	// Count for generate rules in policy
	Generate int `json:"generate" yaml:"generate"`
	// Count for mutate rules in policy
	Mutate int `json:"mutate" yaml:"mutate"`
	// Count for verify image rules in policy
	VerifyImages int `json:"verifyimages" yaml:"verifyimages"`
}

RuleCountStatus contains four variables which describes counts for validate, generate, mutate and verify images rules

func (*RuleCountStatus) DeepCopy added in v1.9.0 

func (in *RuleCountStatus) DeepCopy() *RuleCountStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleCountStatus.

func (*RuleCountStatus) DeepCopyInto added in v1.9.0 

func (in *RuleCountStatus) DeepCopyInto(out *RuleCountStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type SecretReference added in v1.9.0 

type SecretReference struct {
	// Name of the secret. The provided secret must contain a key named cosign.pub.
	Name string `json:"name" yaml:"name"`

	// Namespace name where the Secret exists.
	Namespace string `json:"namespace" yaml:"namespace"`
}

func (*SecretReference) DeepCopy added in v1.9.0 

func (in *SecretReference) DeepCopy() *SecretReference

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretReference.

func (*SecretReference) DeepCopyInto added in v1.9.0 

func (in *SecretReference) DeepCopyInto(out *SecretReference)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ServiceCall added in v1.10.0 

type ServiceCall struct {
	// URL is the JSON web service URL. A typical form is
	// `https://{service}.{namespace}:{port}/{path}`.
	URL string `json:"url" yaml:"url"`

	// CABundle is a PEM encoded CA bundle which will be used to validate
	// the server certificate.
	// +kubebuilder:validation:Optional
	CABundle string `json:"caBundle" yaml:"caBundle"`
}

func (*ServiceCall) DeepCopy added in v1.10.0 

func (in *ServiceCall) DeepCopy() *ServiceCall

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceCall.

func (*ServiceCall) DeepCopyInto added in v1.10.0 

func (in *ServiceCall) DeepCopyInto(out *ServiceCall)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Spec 

type Spec struct {
	// Rules is a list of Rule instances. A Policy contains multiple rules and
	// each rule can validate, mutate, or generate resources.
	Rules []Rule `json:"rules,omitempty" yaml:"rules,omitempty"`

	// ApplyRules controls how rules in a policy are applied. Rule are processed in
	// the order of declaration. When set to `One` processing stops after a rule has
	// been applied i.e. the rule matches and results in a pass, fail, or error. When
	// set to `All` all rules in the policy are processed. The default is `All`.
	// +optional
	ApplyRules *ApplyRulesType `json:"applyRules,omitempty" yaml:"applyRules,omitempty"`

	// FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
	// Rules within the same policy share the same failure behavior.
	// This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
	// Allowed values are Ignore or Fail. Defaults to Fail.
	// +optional
	FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`

	// ValidationFailureAction defines if a validation policy rule violation should block
	// the admission review request (enforce), or allow (audit) the admission review request
	// and report an error in a policy report. Optional.
	// Allowed values are audit or enforce. The default value is "Audit".
	// +optional
	// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
	// +kubebuilder:default=Audit
	ValidationFailureAction ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`

	// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
	// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
	// +optional
	ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`

	// Admission controls if rules are applied during admission.
	// Optional. Default value is "true".
	// +optional
	// +kubebuilder:default=true
	Admission *bool `json:"admission,omitempty" yaml:"admission,omitempty"`

	// Background controls if rules are applied to existing resources during a background scan.
	// Optional. Default value is "true". The value must be set to "false" if the policy rule
	// uses variables that are only available in the admission review request (e.g. user name).
	// +optional
	// +kubebuilder:default=true
	Background *bool `json:"background,omitempty" yaml:"background,omitempty"`

	// Deprecated.
	SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"`

	// WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
	// After the configured time expires, the admission request may fail, or may simply ignore the policy results,
	// based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
	WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"`

	// MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
	// Default value is "false".
	// +optional
	MutateExistingOnPolicyUpdate bool `json:"mutateExistingOnPolicyUpdate,omitempty" yaml:"mutateExistingOnPolicyUpdate,omitempty"`

	// Deprecated, use generateExisting instead
	// +optional
	GenerateExistingOnPolicyUpdate *bool `json:"generateExistingOnPolicyUpdate,omitempty" yaml:"generateExistingOnPolicyUpdate,omitempty"`

	// GenerateExisting controls whether to trigger generate rule in existing resources
	// If is set to "true" generate rule will be triggered and applied to existing matched resources.
	// Defaults to "false" if not specified.
	// +optional
	GenerateExisting bool `json:"generateExisting,omitempty" yaml:"generateExisting,omitempty"`

	// UseServerSideApply controls whether to use server-side apply for generate rules
	// If is set to "true" create & update for generate rules will use apply instead of create/update.
	// Defaults to "false" if not specified.
	// +optional
	UseServerSideApply bool `json:"useServerSideApply,omitempty" yaml:"useServerSideApply,omitempty"`

	// WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
	// Requires Kubernetes 1.27 or later.
	// +optional
	WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"`
}

Spec contains a list of Rule instances and other policy controls.

func (*Spec) AdmissionProcessingEnabled added in v1.10.5 

func (s *Spec) AdmissionProcessingEnabled() bool

AdmissionProcessingEnabled checks if admission is set to true

func (*Spec) BackgroundProcessingEnabled added in v1.7.0 

func (s *Spec) BackgroundProcessingEnabled() bool

BackgroundProcessingEnabled checks if background is set to true

func (*Spec) CustomWebhookConfiguration added in v1.12.0 

func (s *Spec) CustomWebhookConfiguration() bool

func (*Spec) DeepCopy 

func (in *Spec) DeepCopy() *Spec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Spec.

func (*Spec) DeepCopyInto 

func (in *Spec) DeepCopyInto(out *Spec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Spec) GetApplyRules added in v1.8.0 

func (s *Spec) GetApplyRules() ApplyRulesType

GetFailurePolicy returns the failure policy to be applied

func (*Spec) GetFailurePolicy added in v1.7.0 

func (s *Spec) GetFailurePolicy(ctx context.Context) FailurePolicyType

GetFailurePolicy returns the failure policy to be applied

func (*Spec) GetMatchConditions added in v1.12.0 

func (s *Spec) GetMatchConditions() []admissionregistrationv1.MatchCondition

GetMatchConditions returns matchConditions in webhookConfiguration

func (*Spec) GetMutateExistingOnPolicyUpdate added in v1.7.0 

func (s *Spec) GetMutateExistingOnPolicyUpdate() bool

GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value

func (*Spec) HasGenerate added in v1.7.0 

func (s *Spec) HasGenerate() bool

HasGenerate checks for generate rule types

func (*Spec) HasMutate added in v1.7.0 

func (s *Spec) HasMutate() bool

HasMutate checks for mutate rule types

func (*Spec) HasMutateExisting added in v1.12.0 

func (s *Spec) HasMutateExisting() bool

HasMutateExisting checks for mutate existing rule types

func (*Spec) HasMutateOrValidateOrGenerate added in v1.7.0 

func (s *Spec) HasMutateOrValidateOrGenerate() bool

HasMutateOrValidateOrGenerate checks for rule types

func (*Spec) HasMutateStandard added in v1.12.0 

func (s *Spec) HasMutateStandard() bool

HasMutateStandard checks for standard admission mutate rule

func (*Spec) HasValidate added in v1.7.0 

func (s *Spec) HasValidate() bool

HasValidate checks for validate rule types

func (*Spec) HasVerifyImageChecks added in v1.10.0 

func (s *Spec) HasVerifyImageChecks() bool

HasVerifyImageChecks checks for image verification rules invoked during resource validation

func (*Spec) HasVerifyImages added in v1.7.0 

func (s *Spec) HasVerifyImages() bool

HasVerifyImages checks for image verification rules invoked during resource mutation

func (*Spec) HasVerifyManifests added in v1.10.0 

func (s *Spec) HasVerifyManifests() bool

HasVerifyManifests checks for image verification rules invoked during resource mutation

func (*Spec) IsGenerateExisting added in v1.10.0 

func (s *Spec) IsGenerateExisting() bool

IsGenerateExisting return GenerateExisting set value

func (*Spec) SetRules added in v1.7.0 

func (s *Spec) SetRules(rules []Rule)

func (*Spec) Validate added in v1.7.0 

func (s *Spec) Validate(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList)

Validate implements programmatic validation

func (*Spec) ValidateRuleNames added in v1.7.0 

func (s *Spec) ValidateRuleNames(path *field.Path) (errs field.ErrorList)

ValidateRuleNames checks if the rule names are unique across a policy

func (*Spec) ValidateRules added in v1.7.0 

func (s *Spec) ValidateRules(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList)

ValidateRules implements programmatic validation of Rules

type StaticKeyAttestor added in v1.7.0 

type StaticKeyAttestor struct {
	// Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
	// specified or can be a variable reference to a key specified in a ConfigMap (see
	// https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
	// elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
	// The named Secret must specify a key `cosign.pub` containing the public key used for
	// verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
	// When multiple keys are specified each key is processed as a separate staticKey entry
	// (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
	PublicKeys string `json:"publicKeys,omitempty" yaml:"publicKeys,omitempty"`

	// Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.
	// +kubebuilder:default=sha256
	SignatureAlgorithm string `json:"signatureAlgorithm,omitempty" yaml:"signatureAlgorithm,omitempty"`

	// KMS provides the URI to the public key stored in a Key Management System. See:
	// https://github.com/sigstore/cosign/blob/main/KMS.md
	KMS string `json:"kms,omitempty" yaml:"kms,omitempty"`

	// Reference to a Secret resource that contains a public key
	Secret *SecretReference `json:"secret,omitempty" yaml:"secret,omitempty"`

	// Rekor provides configuration for the Rekor transparency log service. If an empty object
	// is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
	// +kubebuilder:validation:Optional
	Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`

	// CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
	// Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
	// +kubebuilder:validation:Optional
	CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
}

func (*StaticKeyAttestor) DeepCopy added in v1.7.0 

func (in *StaticKeyAttestor) DeepCopy() *StaticKeyAttestor

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticKeyAttestor.

func (*StaticKeyAttestor) DeepCopyInto added in v1.7.0 

func (in *StaticKeyAttestor) DeepCopyInto(out *StaticKeyAttestor)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*StaticKeyAttestor) Validate added in v1.7.0 

func (ska *StaticKeyAttestor) Validate(path *field.Path) (errs field.ErrorList)

type TargetResourceSpec added in v1.10.0 

type TargetResourceSpec struct {
	// ResourceSpec contains the target resources to load when mutating existing resources.
	ResourceSpec `json:",omitempty" yaml:",omitempty"`

	// Context defines variables and data sources that can be used during rule execution.
	// +optional
	Context []ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`

	// Preconditions are used to determine if a policy rule should be applied by evaluating a
	// set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
	// of conditions (without `any` or `all` statements is supported for backwards compatibility but
	// will be deprecated in the next major release.
	// See: https://kyverno.io/docs/writing-policies/preconditions/
	// +optional
	RawAnyAllConditions *apiextv1.JSON `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`
}

TargetResourceSpec defines targets for mutating existing resources.

func (*TargetResourceSpec) DeepCopy added in v1.10.0 

func (in *TargetResourceSpec) DeepCopy() *TargetResourceSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetResourceSpec.

func (*TargetResourceSpec) DeepCopyInto added in v1.10.0 

func (in *TargetResourceSpec) DeepCopyInto(out *TargetResourceSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*TargetResourceSpec) GetAnyAllConditions added in v1.10.0 

func (r *TargetResourceSpec) GetAnyAllConditions() apiextensions.JSON

type UserInfo 

type UserInfo struct {
	// Roles is the list of namespaced role names for the user.
	// +optional
	Roles []string `json:"roles,omitempty" yaml:"roles,omitempty"`

	// ClusterRoles is the list of cluster-wide role names for the user.
	// +optional
	ClusterRoles []string `json:"clusterRoles,omitempty" yaml:"clusterRoles,omitempty"`

	// Subjects is the list of subject names like users, user groups, and service accounts.
	// +optional
	Subjects []rbacv1.Subject `json:"subjects,omitempty" yaml:"subjects,omitempty"`
}

UserInfo contains information about the user performing the operation.

func (*UserInfo) DeepCopy 

func (in *UserInfo) DeepCopy() *UserInfo

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserInfo.

func (*UserInfo) DeepCopyInto 

func (in *UserInfo) DeepCopyInto(out *UserInfo)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (UserInfo) IsEmpty added in v1.9.0 

func (r UserInfo) IsEmpty() bool

func (*UserInfo) Validate added in v1.7.0 

func (u *UserInfo) Validate(path *field.Path) (errs field.ErrorList)

Validate implements programmatic validation

func (*UserInfo) ValidateNoUserInfo added in v1.9.0 

func (u *UserInfo) ValidateNoUserInfo(path *field.Path) (errs field.ErrorList)

ValidateNoUserInfo verifies that no user info is used

func (*UserInfo) ValidateRoles added in v1.7.0 

func (u *UserInfo) ValidateRoles(path *field.Path) (errs field.ErrorList)

ValidateRoles implements programmatic validation of Roles

func (*UserInfo) ValidateSubjects added in v1.7.0 

func (u *UserInfo) ValidateSubjects(path *field.Path) (errs field.ErrorList)

ValidateSubjects implements programmatic validation of Subjects

type ValidatingAdmissionPolicyStatus added in v1.10.5 

type ValidatingAdmissionPolicyStatus struct {
	// Generated indicates whether a validating admission policy is generated from the policy or not
	Generated bool `json:"generated" yaml:"generated"`
	// Message is a human readable message indicating details about the generation of validating admission policy
	// It is an empty string when validating admission policy is successfully generated.
	Message string `json:"message" yaml:"message"`
}

ValidatingAdmissionPolicy contains status information

func (*ValidatingAdmissionPolicyStatus) DeepCopy added in v1.10.5 

func (in *ValidatingAdmissionPolicyStatus) DeepCopy() *ValidatingAdmissionPolicyStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingAdmissionPolicyStatus.

func (*ValidatingAdmissionPolicyStatus) DeepCopyInto added in v1.10.5 

func (in *ValidatingAdmissionPolicyStatus) DeepCopyInto(out *ValidatingAdmissionPolicyStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Validation 

type Validation struct {
	// Message specifies a custom message to be displayed on failure.
	// +optional
	Message string `json:"message,omitempty" yaml:"message,omitempty"`

	// Manifest specifies conditions for manifest verification
	// +optional
	Manifests *Manifests `json:"manifests,omitempty" yaml:"manifests,omitempty"`

	// ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.
	// +optional
	ForEachValidation []ForEachValidation `json:"foreach,omitempty" yaml:"foreach,omitempty"`

	// Pattern specifies an overlay-style pattern used to check resources.
	// +optional
	RawPattern *apiextv1.JSON `json:"pattern,omitempty" yaml:"pattern,omitempty"`

	// AnyPattern specifies list of validation patterns. At least one of the patterns
	// must be satisfied for the validation rule to succeed.
	// +optional
	RawAnyPattern *apiextv1.JSON `json:"anyPattern,omitempty" yaml:"anyPattern,omitempty"`

	// Deny defines conditions used to pass or fail a validation rule.
	// +optional
	Deny *Deny `json:"deny,omitempty" yaml:"deny,omitempty"`

	// PodSecurity applies exemptions for Kubernetes Pod Security admission
	// by specifying exclusions for Pod Security Standards controls.
	// +optional
	PodSecurity *PodSecurity `json:"podSecurity,omitempty" yaml:"podSecurity,omitempty"`

	// CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
	// +optional
	CEL *CEL `json:"cel,omitempty" yaml:"cel,omitempty"`
}

Validation defines checks to be performed on matching resources.

func (*Validation) DeepCopy 

func (in *Validation) DeepCopy() *Validation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Validation.

func (*Validation) DeepCopyInto 

func (in *Validation) DeepCopyInto(out *Validation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Validation) DeserializeAnyPattern 

func (in *Validation) DeserializeAnyPattern() ([]interface{}, error)

DeserializeAnyPattern deserialize apiextensions.JSON to []interface{}

func (*Validation) GetAnyPattern added in v1.7.0 

func (v *Validation) GetAnyPattern() apiextensions.JSON

func (*Validation) GetForeach added in v1.9.0 

func (v *Validation) GetForeach() apiextensions.JSON

func (*Validation) GetPattern added in v1.7.0 

func (v *Validation) GetPattern() apiextensions.JSON

func (*Validation) SetAnyPattern added in v1.7.0 

func (v *Validation) SetAnyPattern(in apiextensions.JSON)

func (*Validation) SetForeach added in v1.9.0 

func (v *Validation) SetForeach(in apiextensions.JSON)

func (*Validation) SetPattern added in v1.7.0 

func (v *Validation) SetPattern(in apiextensions.JSON)

type ValidationFailureAction added in v1.7.0 

type ValidationFailureAction string

ValidationFailureAction defines the policy validation failure action 

const (

	// Enforce blocks the request on failure
	Enforce ValidationFailureAction = "Enforce"
	// Audit doesn't block the request on failure
	Audit ValidationFailureAction = "Audit"
)

Policy Reporting Modes

func (ValidationFailureAction) Audit added in v1.9.0 

func (a ValidationFailureAction) Audit() bool

func (ValidationFailureAction) Enforce added in v1.9.0 

func (a ValidationFailureAction) Enforce() bool

func (ValidationFailureAction) IsValid added in v1.10.0 

func (a ValidationFailureAction) IsValid() bool

type ValidationFailureActionOverride 

type ValidationFailureActionOverride struct {
	// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
	Action            ValidationFailureAction `json:"action,omitempty" yaml:"action,omitempty"`
	Namespaces        []string                `json:"namespaces,omitempty" yaml:"namespaces,omitempty"`
	NamespaceSelector *metav1.LabelSelector   `json:"namespaceSelector,omitempty" yaml:"namespaceSelector,omitempty"`
}

func (*ValidationFailureActionOverride) DeepCopy added in v1.7.0 

func (in *ValidationFailureActionOverride) DeepCopy() *ValidationFailureActionOverride

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidationFailureActionOverride.

func (*ValidationFailureActionOverride) DeepCopyInto added in v1.7.0 

func (in *ValidationFailureActionOverride) DeepCopyInto(out *ValidationFailureActionOverride)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Variable added in v1.7.0 

type Variable struct {
	// Value is any arbitrary JSON object representable in YAML or JSON form.
	// +optional
	Value *apiextv1.JSON `json:"value,omitempty" yaml:"value,omitempty"`

	// JMESPath is an optional JMESPath Expression that can be used to
	// transform the variable.
	// +optional
	JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`

	// Default is an optional arbitrary JSON object that the variable may take if the JMESPath
	// expression evaluates to nil
	// +optional
	Default *apiextv1.JSON `json:"default,omitempty" yaml:"default,omitempty"`
}

Variable defines an arbitrary JMESPath context variable that can be defined inline.

func (*Variable) DeepCopy added in v1.7.0 

func (in *Variable) DeepCopy() *Variable

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Variable.

func (*Variable) DeepCopyInto added in v1.7.0 

func (in *Variable) DeepCopyInto(out *Variable)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type WebhookConfiguration added in v1.12.0 

type WebhookConfiguration struct {
	// MatchCondition configures admission webhook matchConditions.
	// +optional
	MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty" yaml:"matchConditions,omitempty"`
}

WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration.

func (*WebhookConfiguration) DeepCopy added in v1.12.0 

func (in *WebhookConfiguration) DeepCopy() *WebhookConfiguration

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookConfiguration.

func (*WebhookConfiguration) DeepCopyInto added in v1.12.0 

func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.