Documentation ¶
Overview ¶
+k8s:deepcopy-gen=package +kubebuilder:object:generate=true +groupName=kyverno.io
Copyright 2022 The Kubernetes authors.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Index ¶
- Constants
- Variables
- func RegisterDefaults(scheme *runtime.Scheme) error
- func Resource(resource string) schema.GroupResource
- func ValidateContext(path *field.Path, context []kyvernov1.ContextEntry) (errs field.ErrorList)
- func ValidateSchedule(path *field.Path, schedule string) (errs field.ErrorList)
- type AdmissionRequestInfoObject
- type AnyAllConditions
- type CleanupPolicy
- func (in *CleanupPolicy) DeepCopy() *CleanupPolicy
- func (in *CleanupPolicy) DeepCopyInto(out *CleanupPolicy)
- func (in *CleanupPolicy) DeepCopyObject() runtime.Object
- func (p *CleanupPolicy) GetAPIVersion() string
- func (p *CleanupPolicy) GetExecutionTime() (*time.Time, error)
- func (p *CleanupPolicy) GetKind() string
- func (p *CleanupPolicy) GetNextExecutionTime(time time.Time) (*time.Time, error)
- func (p *CleanupPolicy) GetSpec() *CleanupPolicySpec
- func (p *CleanupPolicy) GetStatus() *CleanupPolicyStatus
- func (p *CleanupPolicy) IsNamespaced() bool
- func (p *CleanupPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList)
- type CleanupPolicyInterface
- type CleanupPolicyList
- type CleanupPolicySpec
- func (in *CleanupPolicySpec) DeepCopy() *CleanupPolicySpec
- func (in *CleanupPolicySpec) DeepCopyInto(out *CleanupPolicySpec)
- func (p *CleanupPolicySpec) Validate(path *field.Path, clusterResources sets.Set[string], namespaced bool) (errs field.ErrorList)
- func (spec *CleanupPolicySpec) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorList)
- type CleanupPolicyStatus
- type ClusterCleanupPolicy
- func (in *ClusterCleanupPolicy) DeepCopy() *ClusterCleanupPolicy
- func (in *ClusterCleanupPolicy) DeepCopyInto(out *ClusterCleanupPolicy)
- func (in *ClusterCleanupPolicy) DeepCopyObject() runtime.Object
- func (p *ClusterCleanupPolicy) GetAPIVersion() string
- func (p *ClusterCleanupPolicy) GetExecutionTime() (*time.Time, error)
- func (p *ClusterCleanupPolicy) GetKind() string
- func (p *ClusterCleanupPolicy) GetNextExecutionTime(time time.Time) (*time.Time, error)
- func (p *ClusterCleanupPolicy) GetSpec() *CleanupPolicySpec
- func (p *ClusterCleanupPolicy) GetStatus() *CleanupPolicyStatus
- func (p *ClusterCleanupPolicy) IsNamespaced() bool
- func (p *ClusterCleanupPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList)
- type ClusterCleanupPolicyList
- type Condition
- type ConditionOperator
- type Exception
- type MatchResources
- type PolicyException
- func (p *PolicyException) Contains(policy string, rule string) bool
- func (in *PolicyException) DeepCopy() *PolicyException
- func (in *PolicyException) DeepCopyInto(out *PolicyException)
- func (in *PolicyException) DeepCopyObject() runtime.Object
- func (p *PolicyException) GetKind() string
- func (p *PolicyException) HasPodSecurity() bool
- func (p *PolicyException) Validate() (errs field.ErrorList)
- type PolicyExceptionList
- type PolicyExceptionSpec
- func (p *PolicyExceptionSpec) BackgroundProcessingEnabled() bool
- func (p *PolicyExceptionSpec) Contains(policy string, rule string) bool
- func (in *PolicyExceptionSpec) DeepCopy() *PolicyExceptionSpec
- func (in *PolicyExceptionSpec) DeepCopyInto(out *PolicyExceptionSpec)
- func (p *PolicyExceptionSpec) Validate(path *field.Path) (errs field.ErrorList)
- type RequestInfo
- type RequestType
- type RuleContext
- type UpdateRequest
- type UpdateRequestList
- type UpdateRequestSpec
- func (in *UpdateRequestSpec) DeepCopy() *UpdateRequestSpec
- func (in *UpdateRequestSpec) DeepCopyInto(out *UpdateRequestSpec)
- func (s *UpdateRequestSpec) GetPolicyKey() string
- func (s *UpdateRequestSpec) GetRequestType() RequestType
- func (s *UpdateRequestSpec) GetResource() kyvernov1.ResourceSpec
- func (s *UpdateRequestSpec) GetRuleName() string
- func (s *UpdateRequestSpec) GetSynchronize() bool
- type UpdateRequestSpecContext
- type UpdateRequestState
- type UpdateRequestStatus
Constants ¶
const ( // URMutatePolicyLabel adds the policy name to URs for mutate policies URMutatePolicyLabel = "mutate.updaterequest.kyverno.io/policy-name" URMutateTriggerNameLabel = "mutate.updaterequest.kyverno.io/trigger-name" URMutateTriggerNSLabel = "mutate.updaterequest.kyverno.io/trigger-namespace" URMutateTriggerKindLabel = "mutate.updaterequest.kyverno.io/trigger-kind" URMutateTriggerAPIVersionLabel = "mutate.updaterequest.kyverno.io/trigger-apiversion" // URGeneratePolicyLabel adds the policy name to URs for generate policies URGeneratePolicyLabel = "generate.kyverno.io/policy-name" URGenerateRetryCountAnnotation = "generate.kyverno.io/retry-count" )
const GroupName = "kyverno.io"
GroupName specifies the group name used to register the objects.
Variables ¶
var ( // localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes. SchemeBuilder runtime.SchemeBuilder // Depreciated: use Install instead AddToScheme = localSchemeBuilder.AddToScheme Install = localSchemeBuilder.AddToScheme )
var ConditionOperators = map[string]ConditionOperator{ "Equals": ConditionOperator("Equals"), "NotEquals": ConditionOperator("NotEquals"), "AnyIn": ConditionOperator("AnyIn"), "AllIn": ConditionOperator("AllIn"), "AnyNotIn": ConditionOperator("AnyNotIn"), "AllNotIn": ConditionOperator("AllNotIn"), "GreaterThanOrEquals": ConditionOperator("GreaterThanOrEquals"), "GreaterThan": ConditionOperator("GreaterThan"), "LessThanOrEquals": ConditionOperator("LessThanOrEquals"), "LessThan": ConditionOperator("LessThan"), "DurationGreaterThanOrEquals": ConditionOperator("DurationGreaterThanOrEquals"), "DurationGreaterThan": ConditionOperator("DurationGreaterThan"), "DurationLessThanOrEquals": ConditionOperator("DurationLessThanOrEquals"), "DurationLessThan": ConditionOperator("DurationLessThan"), }
ConditionOperators stores all the valid ConditionOperator types as key-value pairs. "Equals" evaluates if the key is equal to the value. "NotEquals" evaluates if the key is not equal to the value. "AnyIn" evaluates if any of the keys are contained in the set of values. "AllIn" evaluates if all the keys are contained in the set of values. "AnyNotIn" evaluates if any of the keys are not contained in the set of values. "AllNotIn" evaluates if all the keys are not contained in the set of values. "GreaterThanOrEquals" evaluates if the key (numeric) is greater than or equal to the value (numeric). "GreaterThan" evaluates if the key (numeric) is greater than the value (numeric). "LessThanOrEquals" evaluates if the key (numeric) is less than or equal to the value (numeric). "LessThan" evaluates if the key (numeric) is less than the value (numeric). "DurationGreaterThanOrEquals" evaluates if the key (duration) is greater than or equal to the value (duration) "DurationGreaterThan" evaluates if the key (duration) is greater than the value (duration) "DurationLessThanOrEquals" evaluates if the key (duration) is less than or equal to the value (duration) "DurationLessThan" evaluates if the key (duration) is greater than the value (duration)
var GroupVersion = v1.GroupVersion{Group: GroupName, Version: "v2"}
GroupVersion specifies the group and the version used to register the objects.
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v2"}
SchemeGroupVersion is group version used to register these objects Deprecated: use GroupVersion instead.
Functions ¶
func RegisterDefaults ¶
RegisterDefaults adds defaulters functions to the given scheme. Public to allow building arbitrary schemes. All generated defaulters are covering - they call all nested defaulters.
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource
func ValidateContext ¶
Types ¶
type AdmissionRequestInfoObject ¶
type AdmissionRequestInfoObject struct { // +optional AdmissionRequest *admissionv1.AdmissionRequest `json:"admissionRequest,omitempty"` // +optional Operation admissionv1.Operation `json:"operation,omitempty"` }
AdmissionRequestInfoObject stores the admission request and operation details
func (*AdmissionRequestInfoObject) DeepCopy ¶
func (in *AdmissionRequestInfoObject) DeepCopy() *AdmissionRequestInfoObject
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionRequestInfoObject.
func (*AdmissionRequestInfoObject) DeepCopyInto ¶
func (in *AdmissionRequestInfoObject) DeepCopyInto(out *AdmissionRequestInfoObject)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AnyAllConditions ¶
type AnyAllConditions struct { // AnyConditions enable variable-based conditional rule execution. This is useful for // finer control of when an rule is applied. A condition can reference object data // using JMESPath notation. // Here, at least one of the conditions need to pass. // +optional AnyConditions []Condition `json:"any,omitempty"` // AllConditions enable variable-based conditional rule execution. This is useful for // finer control of when an rule is applied. A condition can reference object data // using JMESPath notation. // Here, all of the conditions need to pass. // +optional AllConditions []Condition `json:"all,omitempty"` }
func (*AnyAllConditions) DeepCopy ¶
func (in *AnyAllConditions) DeepCopy() *AnyAllConditions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AnyAllConditions.
func (*AnyAllConditions) DeepCopyInto ¶
func (in *AnyAllConditions) DeepCopyInto(out *AnyAllConditions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CleanupPolicy ¶
type CleanupPolicy struct { metav1.TypeMeta `json:",inline,omitempty"` metav1.ObjectMeta `json:"metadata,omitempty"` // Spec declares policy behaviors. Spec CleanupPolicySpec `json:"spec"` // Status contains policy runtime data. // +optional Status CleanupPolicyStatus `json:"status,omitempty"` }
CleanupPolicy defines a rule for resource cleanup.
func (*CleanupPolicy) DeepCopy ¶
func (in *CleanupPolicy) DeepCopy() *CleanupPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicy.
func (*CleanupPolicy) DeepCopyInto ¶
func (in *CleanupPolicy) DeepCopyInto(out *CleanupPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CleanupPolicy) DeepCopyObject ¶
func (in *CleanupPolicy) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*CleanupPolicy) GetAPIVersion ¶
func (p *CleanupPolicy) GetAPIVersion() string
GetAPIVersion returns the resource kind
func (*CleanupPolicy) GetExecutionTime ¶
func (p *CleanupPolicy) GetExecutionTime() (*time.Time, error)
GetExecutionTime returns the execution time of the policy
func (*CleanupPolicy) GetKind ¶
func (p *CleanupPolicy) GetKind() string
GetKind returns the resource kind
func (*CleanupPolicy) GetNextExecutionTime ¶
GetNextExecutionTime returns the next execution time of the policy
func (*CleanupPolicy) GetSpec ¶
func (p *CleanupPolicy) GetSpec() *CleanupPolicySpec
GetSpec returns the policy spec
func (*CleanupPolicy) GetStatus ¶
func (p *CleanupPolicy) GetStatus() *CleanupPolicyStatus
GetStatus returns the policy status
func (*CleanupPolicy) IsNamespaced ¶
func (p *CleanupPolicy) IsNamespaced() bool
IsNamespaced indicates if the policy is namespace scoped
type CleanupPolicyInterface ¶ added in v1.13.0
type CleanupPolicyInterface interface { metav1.Object IsNamespaced() bool GetSpec() *CleanupPolicySpec GetStatus() *CleanupPolicyStatus GetExecutionTime() (*time.Time, error) GetNextExecutionTime(time.Time) (*time.Time, error) Validate(sets.Set[string]) field.ErrorList GetKind() string GetAPIVersion() string }
CleanupPolicyInterface abstracts the concrete policy type (CleanupPolicy vs ClusterCleanupPolicy) +kubebuilder:object:generate=false
type CleanupPolicyList ¶
type CleanupPolicyList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata"` Items []CleanupPolicy `json:"items"` }
CleanupPolicyList is a list of ClusterPolicy instances.
func (*CleanupPolicyList) DeepCopy ¶
func (in *CleanupPolicyList) DeepCopy() *CleanupPolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicyList.
func (*CleanupPolicyList) DeepCopyInto ¶
func (in *CleanupPolicyList) DeepCopyInto(out *CleanupPolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CleanupPolicyList) DeepCopyObject ¶
func (in *CleanupPolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CleanupPolicySpec ¶
type CleanupPolicySpec struct { // Context defines variables and data sources that can be used during rule execution. // +optional Context []kyvernov1.ContextEntry `json:"context,omitempty"` // MatchResources defines when cleanuppolicy should be applied. The match // criteria can include resource information (e.g. kind, name, namespace, labels) // and admission review request information like the user name or role. // At least one kind is required. MatchResources MatchResources `json:"match"` // ExcludeResources defines when cleanuppolicy should not be applied. The exclude // criteria can include resource information (e.g. kind, name, namespace, labels) // and admission review request information like the name or role. // +optional ExcludeResources *MatchResources `json:"exclude,omitempty"` // The schedule in Cron format Schedule string `json:"schedule"` // Conditions defines the conditions used to select the resources which will be cleaned up. // +optional Conditions *AnyAllConditions `json:"conditions,omitempty"` }
CleanupPolicySpec stores specifications for selecting resources that the user needs to delete and schedule when the matching resources needs deleted.
func (*CleanupPolicySpec) DeepCopy ¶
func (in *CleanupPolicySpec) DeepCopy() *CleanupPolicySpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicySpec.
func (*CleanupPolicySpec) DeepCopyInto ¶
func (in *CleanupPolicySpec) DeepCopyInto(out *CleanupPolicySpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CleanupPolicySpec) Validate ¶
func (p *CleanupPolicySpec) Validate(path *field.Path, clusterResources sets.Set[string], namespaced bool) (errs field.ErrorList)
Validate implements programmatic validation
func (*CleanupPolicySpec) ValidateMatchExcludeConflict ¶
func (spec *CleanupPolicySpec) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorList)
ValidateMatchExcludeConflict checks if the resultant of match and exclude block is not an empty set
type CleanupPolicyStatus ¶
type CleanupPolicyStatus struct { Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` LastExecutionTime metav1.Time `json:"lastExecutionTime,omitempty"` }
CleanupPolicyStatus stores the status of the policy.
func (*CleanupPolicyStatus) DeepCopy ¶
func (in *CleanupPolicyStatus) DeepCopy() *CleanupPolicyStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicyStatus.
func (*CleanupPolicyStatus) DeepCopyInto ¶
func (in *CleanupPolicyStatus) DeepCopyInto(out *CleanupPolicyStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ClusterCleanupPolicy ¶
type ClusterCleanupPolicy struct { metav1.TypeMeta `json:",inline,omitempty"` metav1.ObjectMeta `json:"metadata,omitempty"` // Spec declares policy behaviors. Spec CleanupPolicySpec `json:"spec"` // Status contains policy runtime data. // +optional Status CleanupPolicyStatus `json:"status,omitempty"` }
ClusterCleanupPolicy defines rule for resource cleanup.
func (*ClusterCleanupPolicy) DeepCopy ¶
func (in *ClusterCleanupPolicy) DeepCopy() *ClusterCleanupPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCleanupPolicy.
func (*ClusterCleanupPolicy) DeepCopyInto ¶
func (in *ClusterCleanupPolicy) DeepCopyInto(out *ClusterCleanupPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterCleanupPolicy) DeepCopyObject ¶
func (in *ClusterCleanupPolicy) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*ClusterCleanupPolicy) GetAPIVersion ¶
func (p *ClusterCleanupPolicy) GetAPIVersion() string
GetAPIVersion returns the resource kind
func (*ClusterCleanupPolicy) GetExecutionTime ¶
func (p *ClusterCleanupPolicy) GetExecutionTime() (*time.Time, error)
GetExecutionTime returns the execution time of the policy
func (*ClusterCleanupPolicy) GetKind ¶
func (p *ClusterCleanupPolicy) GetKind() string
GetKind returns the resource kind
func (*ClusterCleanupPolicy) GetNextExecutionTime ¶
GetNextExecutionTime returns the next execution time of the policy
func (*ClusterCleanupPolicy) GetSpec ¶
func (p *ClusterCleanupPolicy) GetSpec() *CleanupPolicySpec
GetSpec returns the policy spec
func (*ClusterCleanupPolicy) GetStatus ¶
func (p *ClusterCleanupPolicy) GetStatus() *CleanupPolicyStatus
GetStatus returns the policy status
func (*ClusterCleanupPolicy) IsNamespaced ¶
func (p *ClusterCleanupPolicy) IsNamespaced() bool
IsNamespaced indicates if the policy is namespace scoped
type ClusterCleanupPolicyList ¶
type ClusterCleanupPolicyList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata"` Items []ClusterCleanupPolicy `json:"items"` }
ClusterCleanupPolicyList is a list of ClusterCleanupPolicy instances.
func (*ClusterCleanupPolicyList) DeepCopy ¶
func (in *ClusterCleanupPolicyList) DeepCopy() *ClusterCleanupPolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCleanupPolicyList.
func (*ClusterCleanupPolicyList) DeepCopyInto ¶
func (in *ClusterCleanupPolicyList) DeepCopyInto(out *ClusterCleanupPolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterCleanupPolicyList) DeepCopyObject ¶
func (in *ClusterCleanupPolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type Condition ¶
type Condition struct { // Key is the context entry (using JMESPath) for conditional rule evaluation. // +kubebuilder:validation:Schemaless // +kubebuilder:pruning:PreserveUnknownFields RawKey *kyverno.Any `json:"key,omitempty"` // Operator is the conditional operation to perform. Valid operators are: // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, // GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, // DurationLessThanOrEquals, DurationLessThan Operator ConditionOperator `json:"operator,omitempty"` // Value is the conditional value, or set of values. The values can be fixed set // or can be variables declared using JMESPath. // +kubebuilder:validation:Schemaless // +kubebuilder:pruning:PreserveUnknownFields RawValue *kyverno.Any `json:"value,omitempty"` // Message is an optional display message Message string `json:"message,omitempty"` }
func (*Condition) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.
func (*Condition) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ConditionOperator ¶
type ConditionOperator string
ConditionOperator is the operation performed on condition key and value. +kubebuilder:validation:Enum=Equals;NotEquals;AnyIn;AllIn;AnyNotIn;AllNotIn;GreaterThanOrEquals;GreaterThan;LessThanOrEquals;LessThan;DurationGreaterThanOrEquals;DurationGreaterThan;DurationLessThanOrEquals;DurationLessThan
type Exception ¶
type Exception struct { // PolicyName identifies the policy to which the exception is applied. // The policy name uses the format <namespace>/<name> unless it // references a ClusterPolicy. PolicyName string `json:"policyName"` // RuleNames identifies the rules to which the exception is applied. RuleNames []string `json:"ruleNames"` }
Exception stores infos about a policy and rules
func (*Exception) Contains ¶
Contains returns true if it contains an exception for the given policy/rule pair
func (*Exception) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Exception.
func (*Exception) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type MatchResources ¶
type MatchResources = kyvernov2beta1.MatchResources
type PolicyException ¶
type PolicyException struct { metav1.TypeMeta `json:",inline,omitempty"` metav1.ObjectMeta `json:"metadata,omitempty"` // Spec declares policy exception behaviors. Spec PolicyExceptionSpec `json:"spec"` }
PolicyException declares resources to be excluded from specified policies.
func (*PolicyException) Contains ¶
func (p *PolicyException) Contains(policy string, rule string) bool
Contains returns true if it contains an exception for the given policy/rule pair
func (*PolicyException) DeepCopy ¶
func (in *PolicyException) DeepCopy() *PolicyException
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyException.
func (*PolicyException) DeepCopyInto ¶
func (in *PolicyException) DeepCopyInto(out *PolicyException)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PolicyException) DeepCopyObject ¶
func (in *PolicyException) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*PolicyException) GetKind ¶
func (p *PolicyException) GetKind() string
func (*PolicyException) HasPodSecurity ¶
func (p *PolicyException) HasPodSecurity() bool
HasPodSecurity checks if podSecurity controls is specified
func (*PolicyException) Validate ¶
func (p *PolicyException) Validate() (errs field.ErrorList)
Validate implements programmatic validation
type PolicyExceptionList ¶
type PolicyExceptionList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata"` Items []PolicyException `json:"items"` }
PolicyExceptionList is a list of Policy Exceptions
func (*PolicyExceptionList) DeepCopy ¶
func (in *PolicyExceptionList) DeepCopy() *PolicyExceptionList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyExceptionList.
func (*PolicyExceptionList) DeepCopyInto ¶
func (in *PolicyExceptionList) DeepCopyInto(out *PolicyExceptionList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PolicyExceptionList) DeepCopyObject ¶
func (in *PolicyExceptionList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PolicyExceptionSpec ¶
type PolicyExceptionSpec struct { // Background controls if exceptions are applied to existing policies during a background scan. // Optional. Default value is "true". The value must be set to "false" if the policy rule // uses variables that are only available in the admission review request (e.g. user name). Background *bool `json:"background,omitempty"` // Match defines match clause used to check if a resource applies to the exception Match kyvernov2beta1.MatchResources `json:"match"` // Conditions are used to determine if a resource applies to the exception by evaluating a // set of conditions. The declaration can contain nested `any` or `all` statements. // +optional Conditions *AnyAllConditions `json:"conditions,omitempty"` // Exceptions is a list policy/rules to be excluded Exceptions []Exception `json:"exceptions"` // PodSecurity specifies the Pod Security Standard controls to be excluded. // Applicable only to policies that have validate.podSecurity subrule. // +optional PodSecurity []kyvernov1.PodSecurityStandard `json:"podSecurity,omitempty"` }
PolicyExceptionSpec stores policy exception spec
func (*PolicyExceptionSpec) BackgroundProcessingEnabled ¶
func (p *PolicyExceptionSpec) BackgroundProcessingEnabled() bool
func (*PolicyExceptionSpec) Contains ¶
func (p *PolicyExceptionSpec) Contains(policy string, rule string) bool
Contains returns true if it contains an exception for the given policy/rule pair
func (*PolicyExceptionSpec) DeepCopy ¶
func (in *PolicyExceptionSpec) DeepCopy() *PolicyExceptionSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyExceptionSpec.
func (*PolicyExceptionSpec) DeepCopyInto ¶
func (in *PolicyExceptionSpec) DeepCopyInto(out *PolicyExceptionSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RequestInfo ¶
type RequestInfo struct { // Roles is a list of possible role send the request. // +nullable // +optional Roles []string `json:"roles,omitempty"` // ClusterRoles is a list of possible clusterRoles send the request. // +nullable // +optional ClusterRoles []string `json:"clusterRoles,omitempty"` // UserInfo is the userInfo carried in the admission request. // +optional AdmissionUserInfo authenticationv1.UserInfo `json:"userInfo"` }
RequestInfo contains permission info carried in an admission request.
func (*RequestInfo) DeepCopy ¶
func (in *RequestInfo) DeepCopy() *RequestInfo
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestInfo.
func (*RequestInfo) DeepCopyInto ¶
func (in *RequestInfo) DeepCopyInto(out *RequestInfo)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RequestType ¶
type RequestType string
const ( Mutate RequestType = "mutate" Generate RequestType = "generate" )
type RuleContext ¶ added in v1.13.0
type RuleContext struct { // Rule is the associate rule name of the current UR. Rule string `json:"rule"` // DeleteDownstream represents whether the downstream needs to be deleted. DeleteDownstream bool `json:"deleteDownstream"` // Synchronize represents the sync behavior of the corresponding rule // Optional. Defaults to "false" if not specified. Synchronize bool `json:"synchronize,omitempty"` // ResourceSpec is the information to identify the trigger resource. Trigger kyvernov1.ResourceSpec `json:"trigger"` }
func (*RuleContext) DeepCopy ¶ added in v1.13.0
func (in *RuleContext) DeepCopy() *RuleContext
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleContext.
func (*RuleContext) DeepCopyInto ¶ added in v1.13.0
func (in *RuleContext) DeepCopyInto(out *RuleContext)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type UpdateRequest ¶
type UpdateRequest struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` // ResourceSpec is the information to identify the trigger resource. Spec UpdateRequestSpec `json:"spec,omitempty"` // Status contains statistics related to update request. // +optional Status UpdateRequestStatus `json:"status,omitempty"` }
UpdateRequest is a request to process mutate and generate rules in background.
func (*UpdateRequest) DeepCopy ¶
func (in *UpdateRequest) DeepCopy() *UpdateRequest
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdateRequest.
func (*UpdateRequest) DeepCopyInto ¶
func (in *UpdateRequest) DeepCopyInto(out *UpdateRequest)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*UpdateRequest) DeepCopyObject ¶
func (in *UpdateRequest) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type UpdateRequestList ¶
type UpdateRequestList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []UpdateRequest `json:"items"` }
UpdateRequestList contains a list of UpdateRequest
func (*UpdateRequestList) DeepCopy ¶
func (in *UpdateRequestList) DeepCopy() *UpdateRequestList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdateRequestList.
func (*UpdateRequestList) DeepCopyInto ¶
func (in *UpdateRequestList) DeepCopyInto(out *UpdateRequestList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*UpdateRequestList) DeepCopyObject ¶
func (in *UpdateRequestList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type UpdateRequestSpec ¶
type UpdateRequestSpec struct { // Type represents request type for background processing // +kubebuilder:validation:Enum=mutate;generate Type RequestType `json:"requestType,omitempty"` // Specifies the name of the policy. Policy string `json:"policy"` // RuleContext is the associate context to apply rules. // optional RuleContext []RuleContext `json:"ruleContext,omitempty"` // Rule is the associate rule name of the current UR. Rule string `json:"rule"` // DeleteDownstream represents whether the downstream needs to be deleted. // Deprecated DeleteDownstream bool `json:"deleteDownstream"` // Synchronize represents the sync behavior of the corresponding rule // Optional. Defaults to "false" if not specified. // Deprecated, will be removed in 1.14. Synchronize bool `json:"synchronize,omitempty"` // ResourceSpec is the information to identify the trigger resource. Resource kyvernov1.ResourceSpec `json:"resource"` // Context represents admission request context. // It is used upon admission review only and is shared across rules within the same UR. Context UpdateRequestSpecContext `json:"context"` }
UpdateRequestSpec stores the request specification.
func (*UpdateRequestSpec) DeepCopy ¶
func (in *UpdateRequestSpec) DeepCopy() *UpdateRequestSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdateRequestSpec.
func (*UpdateRequestSpec) DeepCopyInto ¶
func (in *UpdateRequestSpec) DeepCopyInto(out *UpdateRequestSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*UpdateRequestSpec) GetPolicyKey ¶
func (s *UpdateRequestSpec) GetPolicyKey() string
func (*UpdateRequestSpec) GetRequestType ¶
func (s *UpdateRequestSpec) GetRequestType() RequestType
func (*UpdateRequestSpec) GetResource ¶
func (s *UpdateRequestSpec) GetResource() kyvernov1.ResourceSpec
func (*UpdateRequestSpec) GetRuleName ¶
func (s *UpdateRequestSpec) GetRuleName() string
func (*UpdateRequestSpec) GetSynchronize ¶
func (s *UpdateRequestSpec) GetSynchronize() bool
type UpdateRequestSpecContext ¶
type UpdateRequestSpecContext struct { // +optional UserRequestInfo RequestInfo `json:"userInfo,omitempty"` // +optional AdmissionRequestInfo AdmissionRequestInfoObject `json:"admissionRequestInfo,omitempty"` }
UpdateRequestSpecContext stores the context to be shared.
func (*UpdateRequestSpecContext) DeepCopy ¶
func (in *UpdateRequestSpecContext) DeepCopy() *UpdateRequestSpecContext
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdateRequestSpecContext.
func (*UpdateRequestSpecContext) DeepCopyInto ¶
func (in *UpdateRequestSpecContext) DeepCopyInto(out *UpdateRequestSpecContext)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type UpdateRequestState ¶
type UpdateRequestState string
UpdateRequestState defines the state of request.
const ( // Pending - the Request is yet to be processed or resource has not been created. Pending UpdateRequestState = "Pending" // Failed - the Update Request Controller failed to process the rules. Failed UpdateRequestState = "Failed" // Completed - the Update Request Controller created resources defined in the policy. Completed UpdateRequestState = "Completed" // Skip - the Update Request Controller skips to generate the resource. Skip UpdateRequestState = "Skip" )
type UpdateRequestStatus ¶
type UpdateRequestStatus struct { // State represents state of the update request. State UpdateRequestState `json:"state"` // Specifies request status message. // +optional Message string `json:"message,omitempty"` // This will track the resources that are updated by the generate Policy. // Will be used during clean up resources. GeneratedResources []kyvernov1.ResourceSpec `json:"generatedResources,omitempty"` RetryCount int `json:"retryCount,omitempty"` }
UpdateRequestStatus defines the observed state of UpdateRequest
func (*UpdateRequestStatus) DeepCopy ¶
func (in *UpdateRequestStatus) DeepCopy() *UpdateRequestStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdateRequestStatus.
func (*UpdateRequestStatus) DeepCopyInto ¶
func (in *UpdateRequestStatus) DeepCopyInto(out *UpdateRequestStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.