v1

package
v1.7.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 26, 2022 License: Apache-2.0 Imports: 20 Imported by: 24

Documentation

Index

Constants

View Source 
const (
	// PolicyReasonSucceeded is the reason set when the policy is ready
	PolicyReasonSucceeded = "Succeeded"
	// PolicyReasonSucceeded is the reason set when the policy is not ready
	PolicyReasonFailed = "Failed"
)
View Source 
const (
	//PodControllersAnnotation defines the annotation key for Pod-Controllers
	PodControllersAnnotation = "pod-policies.kyverno.io/autogen-controllers"
)
View Source 
const (
	// Ready means that the policy is ready
	PolicyConditionReady = "Ready"
)

Variables

View Source 
var (
	// SchemeBuilder builds the scheme
	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)

	// AddToScheme adds all types of this clientset into the given scheme
	AddToScheme = SchemeBuilder.AddToScheme
)
View Source 
var ConditionOperators = map[string]ConditionOperator{
	"Equal":                       ConditionOperator("Equal"),
	"Equals":                      ConditionOperator("Equals"),
	"NotEqual":                    ConditionOperator("NotEqual"),
	"NotEquals":                   ConditionOperator("NotEquals"),
	"In":                          ConditionOperator("In"),
	"AnyIn":                       ConditionOperator("AnyIn"),
	"AllIn":                       ConditionOperator("AllIn"),
	"NotIn":                       ConditionOperator("NotIn"),
	"AnyNotIn":                    ConditionOperator("AnyNotIn"),
	"AllNotIn":                    ConditionOperator("AllNotIn"),
	"GreaterThanOrEquals":         ConditionOperator("GreaterThanOrEquals"),
	"GreaterThan":                 ConditionOperator("GreaterThan"),
	"LessThanOrEquals":            ConditionOperator("LessThanOrEquals"),
	"LessThan":                    ConditionOperator("LessThan"),
	"DurationGreaterThanOrEquals": ConditionOperator("DurationGreaterThanOrEquals"),
	"DurationGreaterThan":         ConditionOperator("DurationGreaterThan"),
	"DurationLessThanOrEquals":    ConditionOperator("DurationLessThanOrEquals"),
	"DurationLessThan":            ConditionOperator("DurationLessThan"),
}

ConditionOperators stores all the valid ConditionOperator types as key-value pairs.

"Equal" evaluates if the key is equal to the value. (Deprecated; Use Equals instead) "Equals" evaluates if the key is equal to the value. "NotEqual" evaluates if the key is not equal to the value. (Deprecated; Use NotEquals instead) "NotEquals" evaluates if the key is not equal to the value. "In" evaluates if the key is contained in the set of values. "AnyIn" evaluates if any of the keys are contained in the set of values. "AllIn" evaluates if all the keys are contained in the set of values. "NotIn" evaluates if the key is not contained in the set of values. "AnyNotIn" evaluates if any of the keys are not contained in the set of values. "AllNotIn" evaluates if all the keys are not contained in the set of values. "GreaterThanOrEquals" evaluates if the key (numeric) is greater than or equal to the value (numeric). "GreaterThan" evaluates if the key (numeric) is greater than the value (numeric). "LessThanOrEquals" evaluates if the key (numeric) is less than or equal to the value (numeric). "LessThan" evaluates if the key (numeric) is less than the value (numeric). "DurationGreaterThanOrEquals" evaluates if the key (duration) is greater than or equal to the value (duration) "DurationGreaterThan" evaluates if the key (duration) is greater than the value (duration) "DurationLessThanOrEquals" evaluates if the key (duration) is less than or equal to the value (duration) "DurationLessThan" evaluates if the key (duration) is greater than the value (duration)

View Source 
var SchemeGroupVersion = schema.GroupVersion{Group: kyverno.GroupName, Version: "v1"}

SchemeGroupVersion is group version used to register these objects

Functions

func FromJSON added in v1.7.0 

func FromJSON(in *apiextv1.JSON) apiextensions.JSON

func Kind 

func Kind(kind string) schema.GroupKind

Kind takes an unqualified kind and returns back a Group qualified GroupKind

func Resource 

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

func ToJSON added in v1.7.0 

func ToJSON(in apiextensions.JSON) *apiextv1.JSON

func ValidateAutogenAnnotation added in v1.7.0 

func ValidateAutogenAnnotation(path *field.Path, annotations map[string]string) (errs field.ErrorList)

ValidatePolicyName validates policy name

func ValidatePolicyName added in v1.7.0 

func ValidatePolicyName(path *field.Path, name string) (errs field.ErrorList)

ValidatePolicyName validates policy name

Types

type APICall 

type APICall struct {

	// URLPath is the URL path to be used in the HTTP GET request to the
	// Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
	// The format required is the same format used by the `kubectl get --raw` command.
	URLPath string `json:"urlPath" yaml:"urlPath"`

	// JMESPath is an optional JSON Match Expression that can be used to
	// transform the JSON response returned from the API server. For example
	// a JMESPath of "items | length(@)" applied to the API server response
	// to the URLPath "/apis/apps/v1/deployments" will return the total count
	// of deployments across all namespaces.
	// +optional
	JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
}

APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. An APICall contains a URLPath used to perform the HTTP GET request and an optional JMESPath used to transform the retrieved JSON data.

func (*APICall) DeepCopy 

func (in *APICall) DeepCopy() *APICall

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APICall.

func (*APICall) DeepCopyInto 

func (in *APICall) DeepCopyInto(out *APICall)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AdmissionRequestInfoObject 

type AdmissionRequestInfoObject struct {
	// +optional
	AdmissionRequest string `json:"admissionRequest,omitempty" yaml:"admissionRequest,omitempty"`
	// +optional
	Operation admissionv1.Operation `json:"operation,omitempty" yaml:"operation,omitempty"`
}

AdmissionRequestInfoObject stores the admission request and operation details

func (*AdmissionRequestInfoObject) DeepCopy 

func (in *AdmissionRequestInfoObject) DeepCopy() *AdmissionRequestInfoObject

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionRequestInfoObject.

func (*AdmissionRequestInfoObject) DeepCopyInto 

func (in *AdmissionRequestInfoObject) DeepCopyInto(out *AdmissionRequestInfoObject)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AnyAllConditions 

type AnyAllConditions struct {
	// AnyConditions enable variable-based conditional rule execution. This is useful for
	// finer control of when an rule is applied. A condition can reference object data
	// using JMESPath notation.
	// Here, at least one of the conditions need to pass
	// +optional
	AnyConditions []Condition `json:"any,omitempty" yaml:"any,omitempty"`

	// AllConditions enable variable-based conditional rule execution. This is useful for
	// finer control of when an rule is applied. A condition can reference object data
	// using JMESPath notation.
	// Here, all of the conditions need to pass
	// +optional
	AllConditions []Condition `json:"all,omitempty" yaml:"all,omitempty"`
}

AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. AnyConditions get fulfilled when at least one of its sub-conditions passes. AllConditions get fulfilled only when all of its sub-conditions pass.

func (*AnyAllConditions) DeepCopy 

func (in *AnyAllConditions) DeepCopy() *AnyAllConditions

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AnyAllConditions.

func (*AnyAllConditions) DeepCopyInto 

func (in *AnyAllConditions) DeepCopyInto(out *AnyAllConditions)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Attestation 

type Attestation struct {

	// PredicateType defines the type of Predicate contained within the Statement.
	PredicateType string `json:"predicateType,omitempty" yaml:"predicateType,omitempty"`

	// Conditions are used to verify attributes within a Predicate. If no Conditions are specified
	// the attestation check is satisfied as long there are predicates that match the predicate type.
	// +optional
	Conditions []AnyAllConditions `json:"conditions,omitempty" yaml:"conditions,omitempty"`
}

Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements.

func (*Attestation) DeepCopy 

func (in *Attestation) DeepCopy() *Attestation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Attestation.

func (*Attestation) DeepCopyInto 

func (in *Attestation) DeepCopyInto(out *Attestation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Attestor added in v1.7.0 

type Attestor struct {

	// Keys specifies one or more public keys
	// +kubebuilder:validation:Optional
	Keys *StaticKeyAttestor `json:"keys,omitempty" yaml:"keys,omitempty"`

	// Certificates specifies one or more certificates
	// +kubebuilder:validation:Optional
	Certificates *CertificateAttestor `json:"certificates,omitempty" yaml:"certificates,omitempty"`

	// Keyless is a set of attribute used to verify a Sigstore keyless attestor.
	// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
	// +kubebuilder:validation:Optional
	Keyless *KeylessAttestor `json:"keyless,omitempty" yaml:"keyless,omitempty"`

	// Attestor is a nested AttestorSet used to specify a more complex set of match authorities
	// +kubebuilder:validation:Optional
	Attestor *apiextv1.JSON `json:"attestor,omitempty" yaml:"attestor,omitempty"`

	// Annotations are used for image verification.
	// Every specified key-value pair must exist and match in the verified payload.
	// The payload may contain other key-value pairs.
	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`

	// Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
	// If specified Repository will override other OCI image repository locations for this Attestor.
	Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`
}

func (*Attestor) DeepCopy added in v1.7.0 

func (in *Attestor) DeepCopy() *Attestor

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Attestor.

func (*Attestor) DeepCopyInto added in v1.7.0 

func (in *Attestor) DeepCopyInto(out *Attestor)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Attestor) Validate added in v1.7.0 

func (a *Attestor) Validate(path *field.Path) (errs field.ErrorList)

type AttestorSet added in v1.7.0 

type AttestorSet struct {

	// Count specifies the required number of entries that must match. If the count is null, all entries must match
	// (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
	// value N, then N must be less than or equal to the size of entries, and at least N entries must match.
	// +kubebuilder:validation:Optional
	// +kubebuilder:validation:Minimum:=1
	Count *int `json:"count,omitempty" yaml:"count,omitempty"`

	// Entries contains the available attestors. An attestor can be a static key,
	// attributes for keyless verification, or a nested attestor declaration.
	// +kubebuilder:validation:Optional
	Entries []Attestor `json:"entries,omitempty" yaml:"entries,omitempty"`
}

func AttestorSetUnmarshal added in v1.7.0 

func AttestorSetUnmarshal(o *apiextv1.JSON) (*AttestorSet, error)

func (*AttestorSet) DeepCopy added in v1.7.0 

func (in *AttestorSet) DeepCopy() *AttestorSet

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttestorSet.

func (*AttestorSet) DeepCopyInto added in v1.7.0 

func (in *AttestorSet) DeepCopyInto(out *AttestorSet)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AttestorSet) Validate added in v1.7.0 

func (as *AttestorSet) Validate(path *field.Path) (errs field.ErrorList)

type AutogenStatus added in v1.7.0 

type AutogenStatus struct {
	// Requested indicates the autogen requested controllers
	Requested []string `json:"requested,omitempty" yaml:"requested,omitempty"`
	// Activated indicates the autogen activated controllers
	Activated []string `json:"activated,omitempty" yaml:"activated,omitempty"`
}

AutogenStatus contains autogen status information. It indicates requested and effective autogen controllers used when automatically generating rules.

func (*AutogenStatus) DeepCopy added in v1.7.0 

func (in *AutogenStatus) DeepCopy() *AutogenStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutogenStatus.

func (*AutogenStatus) DeepCopyInto added in v1.7.0 

func (in *AutogenStatus) DeepCopyInto(out *AutogenStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CTLog added in v1.7.0 

type CTLog struct {
	// URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
	// +kubebuilder:validation:Required
	// +kubebuilder:Default:=https://rekor.sigstore.dev
	URL string `json:"url" yaml:"url"`
}

func (*CTLog) DeepCopy added in v1.7.0 

func (in *CTLog) DeepCopy() *CTLog

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CTLog.

func (*CTLog) DeepCopyInto added in v1.7.0 

func (in *CTLog) DeepCopyInto(out *CTLog)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateAttestor added in v1.7.0 

type CertificateAttestor struct {

	// Certificate is an optional PEM encoded public certificate.
	// +kubebuilder:validation:Optional
	Certificate string `json:"cert,omitempty" yaml:"cert,omitempty"`

	// CertificateChain is an optional PEM encoded set of certificates used to verify
	// +kubebuilder:validation:Optional
	CertificateChain string `json:"certChain,omitempty" yaml:"certChain,omitempty"`

	// Rekor provides configuration for the Rekor transparency log service. If the value is nil,
	// Rekor is not checked. If an empty object is provided the public instance of
	// Rekor (https://rekor.sigstore.dev) is used.
	// +kubebuilder:validation:Optional
	Rekor *CTLog `json:"rekor,omitempty" yaml:"rekor,omitempty"`
}

func (*CertificateAttestor) DeepCopy added in v1.7.0 

func (in *CertificateAttestor) DeepCopy() *CertificateAttestor

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAttestor.

func (*CertificateAttestor) DeepCopyInto added in v1.7.0 

func (in *CertificateAttestor) DeepCopyInto(out *CertificateAttestor)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateAttestor) Validate added in v1.7.0 

func (ca *CertificateAttestor) Validate(path *field.Path) (errs field.ErrorList)

type CloneFrom 

type CloneFrom struct {

	// Namespace specifies source resource namespace.
	// +optional
	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`

	// Name specifies name of the resource.
	Name string `json:"name,omitempty" yaml:"name,omitempty"`
}

CloneFrom provides the location of the source resource used to generate target resources. The resource kind is derived from the match criteria.

func (*CloneFrom) DeepCopy 

func (in *CloneFrom) DeepCopy() *CloneFrom

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloneFrom.

func (*CloneFrom) DeepCopyInto 

func (in *CloneFrom) DeepCopyInto(out *CloneFrom)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ClusterPolicy 

type ClusterPolicy struct {
	metav1.TypeMeta   `json:",inline,omitempty" yaml:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`

	// Spec declares policy behaviors.
	Spec Spec `json:"spec" yaml:"spec"`

	// Status contains policy runtime data.
	// +optional
	Status PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
}

ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.

func (*ClusterPolicy) BackgroundProcessingEnabled 

func (p *ClusterPolicy) BackgroundProcessingEnabled() bool

BackgroundProcessingEnabled checks if background is set to true

func (*ClusterPolicy) CreateDeepCopy added in v1.7.0 

func (p *ClusterPolicy) CreateDeepCopy() PolicyInterface

func (*ClusterPolicy) DeepCopy 

func (in *ClusterPolicy) DeepCopy() *ClusterPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicy.

func (*ClusterPolicy) DeepCopyInto 

func (in *ClusterPolicy) DeepCopyInto(out *ClusterPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterPolicy) DeepCopyObject 

func (in *ClusterPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ClusterPolicy) GetKind added in v1.7.0 

func (p *ClusterPolicy) GetKind() string

func (*ClusterPolicy) GetSpec added in v1.7.0 

func (p *ClusterPolicy) GetSpec() *Spec

GetSpec returns the policy spec

func (*ClusterPolicy) HasAutoGenAnnotation 

func (p *ClusterPolicy) HasAutoGenAnnotation() bool

HasAutoGenAnnotation checks if a policy has auto-gen annotation

func (*ClusterPolicy) HasGenerate 

func (p *ClusterPolicy) HasGenerate() bool

HasGenerate checks for generate rule types

func (*ClusterPolicy) HasMutate 

func (p *ClusterPolicy) HasMutate() bool

HasMutate checks for mutate rule types

func (*ClusterPolicy) HasMutateOrValidateOrGenerate 

func (p *ClusterPolicy) HasMutateOrValidateOrGenerate() bool

HasMutateOrValidateOrGenerate checks for rule types

func (*ClusterPolicy) HasValidate 

func (p *ClusterPolicy) HasValidate() bool

HasValidate checks for validate rule types

func (*ClusterPolicy) HasVerifyImages 

func (p *ClusterPolicy) HasVerifyImages() bool

HasVerifyImages checks for image verification rule types

func (*ClusterPolicy) IsNamespaced added in v1.7.0 

func (p *ClusterPolicy) IsNamespaced() bool

IsNamespaced indicates if the policy is namespace scoped

func (*ClusterPolicy) IsReady added in v1.7.0 

func (p *ClusterPolicy) IsReady() bool

IsReady indicates if the policy is ready to serve the admission request

func (*ClusterPolicy) Validate added in v1.7.0 

func (p *ClusterPolicy) Validate(clusterResources sets.String) (errs field.ErrorList)

Validate implements programmatic validation namespaced means that the policy is bound to a namespace and therefore should not filter/generate cluster wide resources.

type ClusterPolicyList 

type ClusterPolicyList struct {
	metav1.TypeMeta `json:",inline" yaml:",inline"`
	metav1.ListMeta `json:"metadata" yaml:"metadata"`
	Items           []ClusterPolicy `json:"items" yaml:"items"`
}

ClusterPolicyList is a list of ClusterPolicy instances.

func (*ClusterPolicyList) DeepCopy 

func (in *ClusterPolicyList) DeepCopy() *ClusterPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicyList.

func (*ClusterPolicyList) DeepCopyInto 

func (in *ClusterPolicyList) DeepCopyInto(out *ClusterPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterPolicyList) DeepCopyObject 

func (in *ClusterPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type Condition 

type Condition struct {
	// Key is the context entry (using JMESPath) for conditional rule evaluation.
	RawKey *apiextv1.JSON `json:"key,omitempty" yaml:"key,omitempty"`

	// Operator is the conditional operation to perform. Valid operators are:
	// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
	// GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
	// DurationLessThanOrEquals, DurationLessThan
	Operator ConditionOperator `json:"operator,omitempty" yaml:"operator,omitempty"`

	// Value is the conditional value, or set of values. The values can be fixed set
	// or can be variables declared using JMESPath.
	// +optional
	RawValue *apiextv1.JSON `json:"value,omitempty" yaml:"value,omitempty"`
}

Condition defines variable-based conditional criteria for rule execution.

func (*Condition) DeepCopy 

func (in *Condition) DeepCopy() *Condition

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.

func (*Condition) DeepCopyInto 

func (in *Condition) DeepCopyInto(out *Condition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Condition) GetKey added in v1.7.0 

func (c *Condition) GetKey() apiextensions.JSON

func (*Condition) GetValue added in v1.7.0 

func (c *Condition) GetValue() apiextensions.JSON

func (*Condition) SetKey added in v1.7.0 

func (c *Condition) SetKey(in apiextensions.JSON)

func (*Condition) SetValue added in v1.7.0 

func (c *Condition) SetValue(in apiextensions.JSON)

type ConditionOperator 

type ConditionOperator string

ConditionOperator is the operation performed on condition key and value. +kubebuilder:validation:Enum=Equals;NotEquals;In;AnyIn;AllIn;NotIn;AnyNotIn;AllNotIn;GreaterThanOrEquals;GreaterThan;LessThanOrEquals;LessThan;DurationGreaterThanOrEquals;DurationGreaterThan;DurationLessThanOrEquals;DurationLessThan

type ConfigMapReference 

type ConfigMapReference struct {

	// Name is the ConfigMap name.
	Name string `json:"name" yaml:"name"`

	// Namespace is the ConfigMap namespace.
	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
}

ConfigMapReference refers to a ConfigMap

func (*ConfigMapReference) DeepCopy 

func (in *ConfigMapReference) DeepCopy() *ConfigMapReference

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMapReference.

func (*ConfigMapReference) DeepCopyInto 

func (in *ConfigMapReference) DeepCopyInto(out *ConfigMapReference)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ContextEntry 

type ContextEntry struct {

	// Name is the variable name.
	Name string `json:"name,omitempty" yaml:"name,omitempty"`

	// ConfigMap is the ConfigMap reference.
	ConfigMap *ConfigMapReference `json:"configMap,omitempty" yaml:"configMap,omitempty"`

	// APICall defines an HTTP request to the Kubernetes API server. The JSON
	// data retrieved is stored in the context.
	APICall *APICall `json:"apiCall,omitempty" yaml:"apiCall,omitempty"`

	// ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
	// details.
	ImageRegistry *ImageRegistry `json:"imageRegistry,omitempty" yaml:"imageRegistry,omitempty"`

	// Variable defines an arbitrary JMESPath context variable that can be defined inline.
	Variable *Variable `json:"variable,omitempty" yaml:"variable,omitempty"`
}

ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided.

func (*ContextEntry) DeepCopy 

func (in *ContextEntry) DeepCopy() *ContextEntry

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContextEntry.

func (*ContextEntry) DeepCopyInto 

func (in *ContextEntry) DeepCopyInto(out *ContextEntry)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Deny 

type Deny struct {
	// Multiple conditions can be declared under an `any` or `all` statement. A direct list
	// of conditions (without `any` or `all` statements) is also supported for backwards compatibility
	// but will be deprecated in the next major release.
	// See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
	RawAnyAllConditions *apiextv1.JSON `json:"conditions,omitempty" yaml:"conditions,omitempty"`
}

Deny specifies a list of conditions used to pass or fail a validation rule.

func (*Deny) DeepCopy 

func (in *Deny) DeepCopy() *Deny

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Deny.

func (*Deny) DeepCopyInto 

func (in *Deny) DeepCopyInto(out *Deny)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Deny) GetAnyAllConditions added in v1.7.0 

func (d *Deny) GetAnyAllConditions() apiextensions.JSON

func (*Deny) SetAnyAllConditions added in v1.7.0 

func (d *Deny) SetAnyAllConditions(in apiextensions.JSON)

type FailurePolicyType 

type FailurePolicyType string

FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled. +kubebuilder:validation:Enum=Ignore;Fail 

const (
	// Ignore means that an error calling the webhook is ignored.
	Ignore FailurePolicyType = "Ignore"
	// Fail means that an error calling the webhook causes the admission to fail.
	Fail FailurePolicyType = "Fail"
)

type ForEachMutation 

type ForEachMutation struct {
	// List specifies a JMESPath expression that results in one or more elements
	// to which the validation logic is applied.
	List string `json:"list,omitempty" yaml:"list,omitempty"`

	// Context defines variables and data sources that can be used during rule execution.
	// +optional
	Context []ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`

	// AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
	// set of conditions. The declaration can contain nested `any` or `all` statements.
	// See: https://kyverno.io/docs/writing-policies/preconditions/
	// +kubebuilder:validation:XPreserveUnknownFields
	// +optional
	AnyAllConditions *AnyAllConditions `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`

	// PatchStrategicMerge is a strategic merge patch used to modify resources.
	// See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
	// and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
	// +optional
	RawPatchStrategicMerge *apiextv1.JSON `json:"patchStrategicMerge,omitempty" yaml:"patchStrategicMerge,omitempty"`

	// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
	// See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
	// +optional
	PatchesJSON6902 string `json:"patchesJson6902,omitempty" yaml:"patchesJson6902,omitempty"`
}

ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.

func (*ForEachMutation) DeepCopy 

func (in *ForEachMutation) DeepCopy() *ForEachMutation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ForEachMutation.

func (*ForEachMutation) DeepCopyInto 

func (in *ForEachMutation) DeepCopyInto(out *ForEachMutation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ForEachMutation) GetPatchStrategicMerge added in v1.7.0 

func (m *ForEachMutation) GetPatchStrategicMerge() apiextensions.JSON

func (*ForEachMutation) SetPatchStrategicMerge added in v1.7.0 

func (m *ForEachMutation) SetPatchStrategicMerge(in apiextensions.JSON)

type ForEachValidation 

type ForEachValidation struct {

	// List specifies a JMESPath expression that results in one or more elements
	// to which the validation logic is applied.
	List string `json:"list,omitempty" yaml:"list,omitempty"`

	// ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
	// When set to "false", "request.object" is used as the validation scope within the foreach
	// block to allow referencing other elements in the subtree.
	// +optional
	ElementScope *bool `json:"elementScope,omitempty" yaml:"elementScope,omitempty"`

	// Context defines variables and data sources that can be used during rule execution.
	// +optional
	Context []ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`

	// AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
	// set of conditions. The declaration can contain nested `any` or `all` statements.
	// See: https://kyverno.io/docs/writing-policies/preconditions/
	// +kubebuilder:validation:XPreserveUnknownFields
	// +optional
	AnyAllConditions *AnyAllConditions `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`

	// Pattern specifies an overlay-style pattern used to check resources.
	// +optional
	RawPattern *apiextv1.JSON `json:"pattern,omitempty" yaml:"pattern,omitempty"`

	// AnyPattern specifies list of validation patterns. At least one of the patterns
	// must be satisfied for the validation rule to succeed.
	// +optional
	RawAnyPattern *apiextv1.JSON `json:"anyPattern,omitempty" yaml:"anyPattern,omitempty"`

	// Deny defines conditions used to pass or fail a validation rule.
	// +optional
	Deny *Deny `json:"deny,omitempty" yaml:"deny,omitempty"`
}

ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.

func (*ForEachValidation) DeepCopy 

func (in *ForEachValidation) DeepCopy() *ForEachValidation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ForEachValidation.

func (*ForEachValidation) DeepCopyInto 

func (in *ForEachValidation) DeepCopyInto(out *ForEachValidation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ForEachValidation) GetAnyPattern added in v1.7.0 

func (v *ForEachValidation) GetAnyPattern() apiextensions.JSON

func (*ForEachValidation) GetPattern added in v1.7.0 

func (v *ForEachValidation) GetPattern() apiextensions.JSON

func (*ForEachValidation) SetAnyPattern added in v1.7.0 

func (v *ForEachValidation) SetAnyPattern(in apiextensions.JSON)

func (*ForEachValidation) SetPattern added in v1.7.0 

func (v *ForEachValidation) SetPattern(in apiextensions.JSON)

type GenerateRequest 

type GenerateRequest struct {
	metav1.TypeMeta   `json:",inline" yaml:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`

	// Spec is the information to identify the generate request.
	Spec GenerateRequestSpec `json:"spec" yaml:"spec"`

	// Status contains statistics related to generate request.
	// +optional
	Status GenerateRequestStatus `json:"status" yaml:"status"`
}

GenerateRequest is a request to process generate rule. +genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:object:root=true +kubebuilder:subresource:status +kubebuilder:printcolumn:name="Policy",type="string",JSONPath=".spec.policy" +kubebuilder:printcolumn:name="ResourceKind",type="string",JSONPath=".spec.resource.kind" +kubebuilder:printcolumn:name="ResourceName",type="string",JSONPath=".spec.resource.name" +kubebuilder:printcolumn:name="ResourceNamespace",type="string",JSONPath=".spec.resource.namespace" +kubebuilder:printcolumn:name="status",type="string",JSONPath=".status.state" +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" +kubebuilder:resource:shortName=gr

func (*GenerateRequest) DeepCopy 

func (in *GenerateRequest) DeepCopy() *GenerateRequest

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenerateRequest.

func (*GenerateRequest) DeepCopyInto 

func (in *GenerateRequest) DeepCopyInto(out *GenerateRequest)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*GenerateRequest) DeepCopyObject 

func (in *GenerateRequest) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type GenerateRequestContext 

type GenerateRequestContext struct {
	// +optional
	UserRequestInfo RequestInfo `json:"userInfo,omitempty" yaml:"userInfo,omitempty"`
	// +optional
	AdmissionRequestInfo AdmissionRequestInfoObject `json:"admissionRequestInfo,omitempty" yaml:"admissionRequestInfo,omitempty"`
}

GenerateRequestContext stores the context to be shared.

func (*GenerateRequestContext) DeepCopy 

func (in *GenerateRequestContext) DeepCopy() *GenerateRequestContext

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenerateRequestContext.

func (*GenerateRequestContext) DeepCopyInto 

func (in *GenerateRequestContext) DeepCopyInto(out *GenerateRequestContext)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GenerateRequestList 

type GenerateRequestList struct {
	metav1.TypeMeta `json:",inline" yaml:",inline"`
	metav1.ListMeta `json:"metadata" yaml:"metadata"`
	Items           []GenerateRequest `json:"items" yaml:"items"`
}

GenerateRequestList stores the list of generate requests.

func (*GenerateRequestList) DeepCopy 

func (in *GenerateRequestList) DeepCopy() *GenerateRequestList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenerateRequestList.

func (*GenerateRequestList) DeepCopyInto 

func (in *GenerateRequestList) DeepCopyInto(out *GenerateRequestList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*GenerateRequestList) DeepCopyObject 

func (in *GenerateRequestList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type GenerateRequestSpec 

type GenerateRequestSpec struct {
	// Specifies the name of the policy.
	Policy string `json:"policy" yaml:"policy"`

	// ResourceSpec is the information to identify the generate request.
	Resource ResourceSpec `json:"resource" yaml:"resource"`

	// Context ...
	Context GenerateRequestContext `json:"context" yaml:"context"`
}

GenerateRequestSpec stores the request specification.

func (*GenerateRequestSpec) DeepCopy 

func (in *GenerateRequestSpec) DeepCopy() *GenerateRequestSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenerateRequestSpec.

func (*GenerateRequestSpec) DeepCopyInto 

func (in *GenerateRequestSpec) DeepCopyInto(out *GenerateRequestSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GenerateRequestState 

type GenerateRequestState string

GenerateRequestState defines the state of request. 

const (
	// Pending - the Request is yet to be processed or resource has not been created.
	Pending GenerateRequestState = "Pending"

	// Failed - the Generate Request Controller failed to process the rules.
	Failed GenerateRequestState = "Failed"

	// Completed - the Generate Request Controller created resources defined in the policy.
	Completed GenerateRequestState = "Completed"

	// Skip - the Generate Request Controller skips to generate the resource.
	Skip GenerateRequestState = "Skip"
)

type GenerateRequestStatus 

type GenerateRequestStatus struct {
	// State represents state of the generate request.
	State GenerateRequestState `json:"state" yaml:"state"`

	// Specifies request status message.
	// +optional
	Message string `json:"message,omitempty" yaml:"message,omitempty"`

	// This will track the resources that are generated by the generate Policy.
	// Will be used during clean up resources.
	GeneratedResources []ResourceSpec `json:"generatedResources,omitempty" yaml:"generatedResources,omitempty"`
}

GenerateRequestStatus stores the status of generated request.

func (*GenerateRequestStatus) DeepCopy 

func (in *GenerateRequestStatus) DeepCopy() *GenerateRequestStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenerateRequestStatus.

func (*GenerateRequestStatus) DeepCopyInto 

func (in *GenerateRequestStatus) DeepCopyInto(out *GenerateRequestStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Generation 

type Generation struct {
	// ResourceSpec contains information to select the resource.
	ResourceSpec `json:",omitempty" yaml:",omitempty"`

	// Synchronize controls if generated resources should be kept in-sync with their source resource.
	// If Synchronize is set to "true" changes to generated resources will be overwritten with resource
	// data from Data or the resource specified in the Clone declaration.
	// Optional. Defaults to "false" if not specified.
	// +optional
	Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"`

	// Data provides the resource declaration used to populate each generated resource.
	// At most one of Data or Clone must be specified. If neither are provided, the generated
	// resource will be created with default data only.
	// +optional
	RawData *apiextv1.JSON `json:"data,omitempty" yaml:"data,omitempty"`

	// Clone specifies the source resource used to populate each generated resource.
	// At most one of Data or Clone can be specified. If neither are provided, the generated
	// resource will be created with default data only.
	// +optional
	Clone CloneFrom `json:"clone,omitempty" yaml:"clone,omitempty"`
}

Generation defines how new resources should be created and managed.

func (*Generation) DeepCopy 

func (in *Generation) DeepCopy() *Generation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Generation.

func (*Generation) DeepCopyInto 

func (in *Generation) DeepCopyInto(out *Generation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Generation) GetData added in v1.7.0 

func (g *Generation) GetData() apiextensions.JSON

func (*Generation) SetData added in v1.7.0 

func (g *Generation) SetData(in apiextensions.JSON)

type ImageExtractorConfig added in v1.7.0 

type ImageExtractorConfig struct {
	// Path is the path to the object containing the image field in a custom resource.
	// It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
	// Wildcard keys are expanded in case of arrays or objects.
	Path string `json:"path" yaml:"path"`
	// Value is an optional name of the field within 'path' that points to the image URI.
	// This is useful when a custom 'key' is also defined.
	// +optional
	Value string `json:"value,omitempty" yaml:"value,omitempty"`
	// Name is the entry the image will be available under 'images.<name>' in the context.
	// If this field is not defined, image entries will appear under 'images.custom'.
	// +optional
	Name string `json:"name,omitempty" yaml:"name,omitempty"`
	// Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
	// Note - this field MUST be unique.
	// +optional
	Key string `json:"key,omitempty" yaml:"key,omitempty"`
}

func (*ImageExtractorConfig) DeepCopy added in v1.7.0 

func (in *ImageExtractorConfig) DeepCopy() *ImageExtractorConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageExtractorConfig.

func (*ImageExtractorConfig) DeepCopyInto added in v1.7.0 

func (in *ImageExtractorConfig) DeepCopyInto(out *ImageExtractorConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ImageExtractorConfigs added in v1.7.0 

type ImageExtractorConfigs map[string][]ImageExtractorConfig

func (ImageExtractorConfigs) DeepCopy added in v1.7.0 

func (in ImageExtractorConfigs) DeepCopy() ImageExtractorConfigs

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageExtractorConfigs.

func (ImageExtractorConfigs) DeepCopyInto added in v1.7.0 

func (in ImageExtractorConfigs) DeepCopyInto(out *ImageExtractorConfigs)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ImageRegistry 

type ImageRegistry struct {
	// Reference is image reference to a container image in the registry.
	// Example: ghcr.io/kyverno/kyverno:latest
	Reference string `json:"reference" yaml:"reference"`

	// JMESPath is an optional JSON Match Expression that can be used to
	// transform the ImageData struct returned as a result of processing
	// the image reference.
	// +optional
	JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
}

ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details.

func (*ImageRegistry) DeepCopy 

func (in *ImageRegistry) DeepCopy() *ImageRegistry

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageRegistry.

func (*ImageRegistry) DeepCopyInto 

func (in *ImageRegistry) DeepCopyInto(out *ImageRegistry)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ImageVerification 

type ImageVerification struct {

	// Image is the image name consisting of the registry address, repository, image, and tag.
	// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
	// Deprecated. Use ImageReferences instead.
	// +kubebuilder:validation:Optional
	Image string `json:"image,omitempty" yaml:"image,omitempty"`

	// ImageReferences is a list of matching image reference patterns. At least one pattern in the
	// list must match the image for the rule to apply. Each image reference consists of a registry
	// address (defaults to docker.io), repository, image, and tag (defaults to latest).
	// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
	// +kubebuilder:validation:Optional
	ImageReferences []string `json:"imageReferences,omitempty" yaml:"imageReferences,omitempty"`

	// Key is the PEM encoded public key that the image or attestation is signed with.
	// Deprecated. Use StaticKeyAttestor instead.
	Key string `json:"key,omitempty" yaml:"key,omitempty"`

	// Roots is the PEM encoded Root certificate chain used for keyless signing
	// Deprecated. Use KeylessAttestor instead.
	Roots string `json:"roots,omitempty" yaml:"roots,omitempty"`

	// Subject is the identity used for keyless signing, for example an email address
	// Deprecated. Use KeylessAttestor instead.
	Subject string `json:"subject,omitempty" yaml:"subject,omitempty"`

	// Issuer is the certificate issuer used for keyless signing.
	// Deprecated. Use KeylessAttestor instead.
	Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"`

	// AdditionalExtensions are certificate-extensions used for keyless signing.
	// Deprecated.
	AdditionalExtensions map[string]string `json:"additionalExtensions,omitempty" yaml:"additionalExtensions,omitempty"`

	// Attestors specified the required attestors (i.e. authorities)
	// +kubebuilder:validation:Optional
	Attestors []AttestorSet `json:"attestors,omitempty" yaml:"attestors,omitempty"`

	// Attestations are optional checks for signed in-toto Statements used to verify the image.
	// See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
	// OCI registry and decodes them into a list of Statement declarations.
	Attestations []Attestation `json:"attestations,omitempty" yaml:"attestations,omitempty"`

	// Annotations are used for image verification.
	// Every specified key-value pair must exist and match in the verified payload.
	// The payload may contain other key-value pairs.
	// Deprecated. Use annotations per Attestor instead.
	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`

	// Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
	// If specified Repository will override the default OCI image repository configured for the installation.
	// The repository can also be overridden per Attestor or Attestation.
	Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`

	// MutateDigest enables replacement of image tags with digests.
	// Defaults to true.
	// +kubebuilder:default=true
	// +kubebuilder:validation:Optional
	MutateDigest bool `json:"mutateDigest" yaml:"mutateDigest"`

	// VerifyDigest validates that images have a digest.
	// +kubebuilder:default=true
	// +kubebuilder:validation:Optional
	VerifyDigest bool `json:"verifyDigest" yaml:"verifyDigest"`

	// Required validates that images are verified i.e. have matched passed a signature or attestation check.
	// +kubebuilder:default=true
	// +kubebuilder:validation:Optional
	Required bool `json:"required" yaml:"required"`
}

ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration.

func (*ImageVerification) Convert added in v1.7.0 

func (iv *ImageVerification) Convert() *ImageVerification

func (*ImageVerification) DeepCopy 

func (in *ImageVerification) DeepCopy() *ImageVerification

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageVerification.

func (*ImageVerification) DeepCopyInto 

func (in *ImageVerification) DeepCopyInto(out *ImageVerification)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ImageVerification) Validate added in v1.7.0 

func (iv *ImageVerification) Validate(path *field.Path) (errs field.ErrorList)

Validate implements programmatic validation

type KeylessAttestor added in v1.7.0 

type KeylessAttestor struct {

	// Rekor provides configuration for the Rekor transparency log service. If the value is nil,
	// Rekor is not checked and a root certificate chain is expected instead. If an empty object
	// is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
	// +kubebuilder:validation:Optional
	Rekor *CTLog `json:"rekor,omitempty" yaml:"rekor,omitempty"`

	// Issuer is the certificate issuer used for keyless signing.
	// +kubebuilder:validation:Optional
	Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"`

	// Subject is the verified identity used for keyless signing, for example the email address
	// +kubebuilder:validation:Optional
	Subject string `json:"subject,omitempty" yaml:"subject,omitempty"`

	// Roots is an optional set of PEM encoded trusted root certificates.
	// If not provided, the system roots are used.
	// +kubebuilder:validation:Optional
	Roots string `json:"roots,omitempty" yaml:"roots,omitempty"`

	// AdditionalExtensions are certificate-extensions used for keyless signing.
	// +kubebuilder:validation:Optional
	AdditionalExtensions map[string]string `json:"additionalExtensions,omitempty" yaml:"additionalExtensions,omitempty"`
}

func (*KeylessAttestor) DeepCopy added in v1.7.0 

func (in *KeylessAttestor) DeepCopy() *KeylessAttestor

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeylessAttestor.

func (*KeylessAttestor) DeepCopyInto added in v1.7.0 

func (in *KeylessAttestor) DeepCopyInto(out *KeylessAttestor)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*KeylessAttestor) Validate added in v1.7.0 

func (ka *KeylessAttestor) Validate(path *field.Path) (errs field.ErrorList)

type MatchResources 

type MatchResources struct {
	// Any allows specifying resources which will be ORed
	// +optional
	Any ResourceFilters `json:"any,omitempty" yaml:"any,omitempty"`

	// All allows specifying resources which will be ANDed
	// +optional
	All ResourceFilters `json:"all,omitempty" yaml:"all,omitempty"`

	// UserInfo contains information about the user performing the operation.
	// Specifying UserInfo directly under match is being deprecated.
	// Please specify under "any" or "all" instead.
	// +optional
	UserInfo `json:",omitempty" yaml:",omitempty"`

	// ResourceDescription contains information about the resource being created or modified.
	// Requires at least one tag to be specified when under MatchResources.
	// Specifying ResourceDescription directly under match is being deprecated.
	// Please specify under "any" or "all" instead.
	// +optional
	ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"`
}

MatchResources is used to specify resource and admission review request data for which a policy rule is applicable.

func (*MatchResources) DeepCopy 

func (in *MatchResources) DeepCopy() *MatchResources

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResources.

func (*MatchResources) DeepCopyInto 

func (in *MatchResources) DeepCopyInto(out *MatchResources)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*MatchResources) GetKinds added in v1.7.0 

func (m *MatchResources) GetKinds() []string

GetKinds returns all kinds

func (*MatchResources) Validate added in v1.7.0 

func (m *MatchResources) Validate(path *field.Path, namespaced bool, clusterResources sets.String) (errs field.ErrorList)

Validate implements programmatic validation

type Mutation 

type Mutation struct {

	// Targets defines the target resources to be mutated.
	// +optional
	Targets []ResourceSpec `json:"targets,omitempty" yaml:"targets,omitempty"`

	// PatchStrategicMerge is a strategic merge patch used to modify resources.
	// See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
	// and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
	// +optional
	RawPatchStrategicMerge *apiextv1.JSON `json:"patchStrategicMerge,omitempty" yaml:"patchStrategicMerge,omitempty"`

	// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
	// See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
	// +optional
	PatchesJSON6902 string `json:"patchesJson6902,omitempty" yaml:"patchesJson6902,omitempty"`

	// ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.
	// +optional
	ForEachMutation []ForEachMutation `json:"foreach,omitempty" yaml:"foreach,omitempty"`
}

Mutation defines how resource are modified.

func (*Mutation) DeepCopy 

func (in *Mutation) DeepCopy() *Mutation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Mutation.

func (*Mutation) DeepCopyInto 

func (in *Mutation) DeepCopyInto(out *Mutation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Mutation) GetPatchStrategicMerge added in v1.7.0 

func (m *Mutation) GetPatchStrategicMerge() apiextensions.JSON

func (*Mutation) SetPatchStrategicMerge added in v1.7.0 

func (m *Mutation) SetPatchStrategicMerge(in apiextensions.JSON)

type Policy 

type Policy struct {
	metav1.TypeMeta   `json:",inline,omitempty" yaml:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`

	// Spec defines policy behaviors and contains one or more rules.
	Spec Spec `json:"spec" yaml:"spec"`

	// Status contains policy runtime information.
	// +optional
	// Deprecated. Policy metrics are available via the metrics endpoint
	Status PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
}

Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.

func (*Policy) BackgroundProcessingEnabled added in v1.7.0 

func (p *Policy) BackgroundProcessingEnabled() bool

BackgroundProcessingEnabled checks if background is set to true

func (*Policy) CreateDeepCopy added in v1.7.0 

func (p *Policy) CreateDeepCopy() PolicyInterface

func (*Policy) DeepCopy 

func (in *Policy) DeepCopy() *Policy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.

func (*Policy) DeepCopyInto 

func (in *Policy) DeepCopyInto(out *Policy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Policy) DeepCopyObject 

func (in *Policy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*Policy) GetKind added in v1.7.0 

func (p *Policy) GetKind() string

func (*Policy) GetSpec added in v1.7.0 

func (p *Policy) GetSpec() *Spec

GetSpec returns the policy spec

func (*Policy) HasAutoGenAnnotation added in v1.7.0 

func (p *Policy) HasAutoGenAnnotation() bool

HasAutoGenAnnotation checks if a policy has auto-gen annotation

func (*Policy) HasGenerate added in v1.7.0 

func (p *Policy) HasGenerate() bool

HasGenerate checks for generate rule types

func (*Policy) HasMutate added in v1.7.0 

func (p *Policy) HasMutate() bool

HasMutate checks for mutate rule types

func (*Policy) HasMutateOrValidateOrGenerate added in v1.7.0 

func (p *Policy) HasMutateOrValidateOrGenerate() bool

HasMutateOrValidateOrGenerate checks for rule types

func (*Policy) HasValidate added in v1.7.0 

func (p *Policy) HasValidate() bool

HasValidate checks for validate rule types

func (*Policy) HasVerifyImages added in v1.7.0 

func (p *Policy) HasVerifyImages() bool

HasVerifyImages checks for image verification rule types

func (*Policy) IsNamespaced added in v1.7.0 

func (p *Policy) IsNamespaced() bool

IsNamespaced indicates if the policy is namespace scoped

func (*Policy) IsReady added in v1.7.0 

func (p *Policy) IsReady() bool

IsReady indicates if the policy is ready to serve the admission request

func (*Policy) Validate added in v1.7.0 

func (p *Policy) Validate(clusterResources sets.String) (errs field.ErrorList)

Validate implements programmatic validation. namespaced means that the policy is bound to a namespace and therefore should not filter/generate cluster wide resources.

type PolicyInterface added in v1.7.0 

type PolicyInterface interface {
	metav1.Object
	BackgroundProcessingEnabled() bool
	HasAutoGenAnnotation() bool
	IsNamespaced() bool
	GetSpec() *Spec
	Validate(sets.String) field.ErrorList
	GetKind() string
	CreateDeepCopy() PolicyInterface
	IsReady() bool
}

PolicyInterface abstracts the concrete policy type (Policy vs ClusterPolicy) +kubebuilder:object:generate=false

type PolicyList 

type PolicyList struct {
	metav1.TypeMeta `json:",inline" yaml:",inline"`
	metav1.ListMeta `json:"metadata" yaml:"metadata"`
	Items           []Policy `json:"items" yaml:"items"`
}

PolicyList is a list of Policy instances.

func (*PolicyList) DeepCopy 

func (in *PolicyList) DeepCopy() *PolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyList.

func (*PolicyList) DeepCopyInto 

func (in *PolicyList) DeepCopyInto(out *PolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyList) DeepCopyObject 

func (in *PolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PolicyStatus 

type PolicyStatus struct {
	// Ready indicates if the policy is ready to serve the admission request.
	// Deprecated in favor of Conditions
	Ready bool `json:"ready" yaml:"ready"`
	// Conditions is a list of conditions that apply to the policy
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

PolicyStatus mostly contains runtime information related to policy execution. Deprecated. Policy metrics are now available via the "/metrics" endpoint. See: https://kyverno.io/docs/monitoring-kyverno-with-prometheus-metrics/

func (*PolicyStatus) DeepCopy 

func (in *PolicyStatus) DeepCopy() *PolicyStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyStatus.

func (*PolicyStatus) DeepCopyInto 

func (in *PolicyStatus) DeepCopyInto(out *PolicyStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyStatus) IsReady added in v1.7.0 

func (status *PolicyStatus) IsReady() bool

IsReady indicates if the policy is ready to serve the admission request

func (*PolicyStatus) SetReady added in v1.7.0 

func (status *PolicyStatus) SetReady(ready bool)

type RequestInfo 

type RequestInfo struct {
	// Roles is a list of possible role send the request.
	// +nullable
	// +optional
	Roles []string `json:"roles" yaml:"roles"`

	// ClusterRoles is a list of possible clusterRoles send the request.
	// +nullable
	// +optional
	ClusterRoles []string `json:"clusterRoles" yaml:"clusterRoles"`

	// UserInfo is the userInfo carried in the admission request.
	// +optional
	AdmissionUserInfo authenticationv1.UserInfo `json:"userInfo" yaml:"userInfo"`
}

RequestInfo contains permission info carried in an admission request.

func (*RequestInfo) DeepCopy 

func (in *RequestInfo) DeepCopy() *RequestInfo

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestInfo.

func (*RequestInfo) DeepCopyInto 

func (in *RequestInfo) DeepCopyInto(out *RequestInfo)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ResourceDescription 

type ResourceDescription struct {
	// Kinds is a list of resource kinds.
	// +optional
	Kinds []string `json:"kinds,omitempty" yaml:"kinds,omitempty"`

	// Name is the name of the resource. The name supports wildcard characters
	// "*" (matches zero or many characters) and "?" (at least one character).
	// NOTE: "Name" is being deprecated in favor of "Names".
	// +optional
	Name string `json:"name,omitempty" yaml:"name,omitempty"`

	// Names are the names of the resources. Each name supports wildcard characters
	// "*" (matches zero or many characters) and "?" (at least one character).
	// +optional
	Names []string `json:"names,omitempty" yaml:"names,omitempty"`

	// Namespaces is a list of namespaces names. Each name supports wildcard characters
	// "*" (matches zero or many characters) and "?" (at least one character).
	// +optional
	Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"`

	// Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
	// and values support the wildcard characters "*" (matches zero or many characters) and
	// "?" (matches at least one character).
	// +optional
	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`

	// Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
	// characters `*` (matches zero or many characters) and `?` (matches one character).
	// Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
	// using ["*" : "*"] matches any key and value but does not match an empty label set.
	// +optional
	Selector *metav1.LabelSelector `json:"selector,omitempty" yaml:"selector,omitempty"`

	// NamespaceSelector is a label selector for the resource namespace. Label keys and values
	// in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
	// and `?` (matches one character).Wildcards allows writing label selectors like
	// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
	// does not match an empty label set.
	// +optional
	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" yaml:"namespaceSelector,omitempty"`
}

ResourceDescription contains criteria used to match resources.

func (*ResourceDescription) DeepCopy 

func (in *ResourceDescription) DeepCopy() *ResourceDescription

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceDescription.

func (*ResourceDescription) DeepCopyInto 

func (in *ResourceDescription) DeepCopyInto(out *ResourceDescription)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ResourceDescription) Validate added in v1.7.0 

func (r *ResourceDescription) Validate(path *field.Path, namespaced bool, clusterResources sets.String) (errs field.ErrorList)

Validate implements programmatic validation

type ResourceFilter 

type ResourceFilter struct {
	// UserInfo contains information about the user performing the operation.
	// +optional
	UserInfo `json:",omitempty" yaml:",omitempty"`

	// ResourceDescription contains information about the resource being created or modified.
	ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"`
}

ResourceFilter allow users to "AND" or "OR" between resources

func (*ResourceFilter) DeepCopy 

func (in *ResourceFilter) DeepCopy() *ResourceFilter

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceFilter.

func (*ResourceFilter) DeepCopyInto 

func (in *ResourceFilter) DeepCopyInto(out *ResourceFilter)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ResourceFilters 

type ResourceFilters []ResourceFilter

ResourceFilters is a slice of ResourceFilter

func (ResourceFilters) DeepCopy 

func (in ResourceFilters) DeepCopy() ResourceFilters

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceFilters.

func (ResourceFilters) DeepCopyInto 

func (in ResourceFilters) DeepCopyInto(out *ResourceFilters)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ResourceSpec 

type ResourceSpec struct {
	// APIVersion specifies resource apiVersion.
	// +optional
	APIVersion string `json:"apiVersion,omitempty" yaml:"apiVersion,omitempty"`
	// Kind specifies resource kind.
	Kind string `json:"kind,omitempty" yaml:"kind,omitempty"`
	// Namespace specifies resource namespace.
	// +optional
	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
	// Name specifies the resource name.
	// +optional
	Name string `json:"name,omitempty" yaml:"name,omitempty"`
}

func (*ResourceSpec) DeepCopy 

func (in *ResourceSpec) DeepCopy() *ResourceSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceSpec.

func (*ResourceSpec) DeepCopyInto 

func (in *ResourceSpec) DeepCopyInto(out *ResourceSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (ResourceSpec) GetAPIVersion added in v1.7.0 

func (s ResourceSpec) GetAPIVersion() string

func (ResourceSpec) GetKind added in v1.7.0 

func (s ResourceSpec) GetKind() string

func (ResourceSpec) GetName added in v1.7.0 

func (s ResourceSpec) GetName() string

func (ResourceSpec) GetNamespace added in v1.7.0 

func (s ResourceSpec) GetNamespace() string

type Rule 

type Rule struct {
	// Name is a label to identify the rule, It must be unique within the policy.
	// +kubebuilder:validation:MaxLength=63
	Name string `json:"name,omitempty" yaml:"name,omitempty"`

	// Context defines variables and data sources that can be used during rule execution.
	// +optional
	Context []ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`

	// MatchResources defines when this policy rule should be applied. The match
	// criteria can include resource information (e.g. kind, name, namespace, labels)
	// and admission review request information like the user name or role.
	// At least one kind is required.
	MatchResources MatchResources `json:"match,omitempty" yaml:"match,omitempty"`

	// ExcludeResources defines when this policy rule should not be applied. The exclude
	// criteria can include resource information (e.g. kind, name, namespace, labels)
	// and admission review request information like the name or role.
	// +optional
	ExcludeResources MatchResources `json:"exclude,omitempty" yaml:"exclude,omitempty"`

	// ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
	// This config is only valid for verifyImages rules.
	// +optional
	ImageExtractors ImageExtractorConfigs `json:"imageExtractors,omitempty" yaml:"imageExtractors,omitempty"`

	// Preconditions are used to determine if a policy rule should be applied by evaluating a
	// set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
	// of conditions (without `any` or `all` statements is supported for backwards compatibility but
	// will be deprecated in the next major release.
	// See: https://kyverno.io/docs/writing-policies/preconditions/
	// +optional
	RawAnyAllConditions *apiextv1.JSON `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`

	// Mutation is used to modify matching resources.
	// +optional
	Mutation Mutation `json:"mutate,omitempty" yaml:"mutate,omitempty"`

	// Validation is used to validate matching resources.
	// +optional
	Validation Validation `json:"validate,omitempty" yaml:"validate,omitempty"`

	// Generation is used to create new resources.
	// +optional
	Generation Generation `json:"generate,omitempty" yaml:"generate,omitempty"`

	// VerifyImages is used to verify image signatures and mutate them to add a digest
	// +optional
	VerifyImages []ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
}

Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude.

func (*Rule) DeepCopy 

func (in *Rule) DeepCopy() *Rule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.

func (*Rule) DeepCopyInto 

func (in *Rule) DeepCopyInto(out *Rule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Rule) GetAnyAllConditions added in v1.7.0 

func (r *Rule) GetAnyAllConditions() apiextensions.JSON

func (*Rule) GetCloneSyncForGenerate added in v1.7.0 

func (r *Rule) GetCloneSyncForGenerate() (clone bool, sync bool)

IsCloneSyncGenerate checks if the generate rule has the clone block with sync=true

func (*Rule) HasGenerate 

func (r *Rule) HasGenerate() bool

HasGenerate checks for generate rule

func (*Rule) HasImagesValidationChecks added in v1.7.0 

func (r *Rule) HasImagesValidationChecks() bool

HasImagesValidationChecks checks whether the verifyImages rule has validation checks

func (*Rule) HasMutate 

func (r *Rule) HasMutate() bool

HasMutate checks for mutate rule

func (*Rule) HasValidate 

func (r *Rule) HasValidate() bool

HasValidate checks for validate rule

func (*Rule) HasVerifyImages 

func (r *Rule) HasVerifyImages() bool

HasVerifyImages checks for verifyImages rule

func (*Rule) IsMutateExisting added in v1.7.0 

func (r *Rule) IsMutateExisting() bool

IsMutateExisting checks if the mutate rule applies to existing resources

func (*Rule) SetAnyAllConditions added in v1.7.0 

func (r *Rule) SetAnyAllConditions(in apiextensions.JSON)

func (*Rule) Validate added in v1.7.0 

func (r *Rule) Validate(path *field.Path, namespaced bool, clusterResources sets.String) (errs field.ErrorList)

Validate implements programmatic validation

func (*Rule) ValidateMatchExcludeConflict added in v1.7.0 

func (r *Rule) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorList)

ValidateMatchExcludeConflict checks if the resultant of match and exclude block is not an empty set

func (*Rule) ValidateRuleType added in v1.7.0 

func (r *Rule) ValidateRuleType(path *field.Path) (errs field.ErrorList)

ValidateRuleType checks only one type of rule is defined per rule

type Spec 

type Spec struct {
	// Rules is a list of Rule instances. A Policy contains multiple rules and
	// each rule can validate, mutate, or generate resources.
	Rules []Rule `json:"rules,omitempty" yaml:"rules,omitempty"`

	// FailurePolicy defines how unrecognized errors from the admission endpoint are handled.
	// Rules within the same policy share the same failure behavior.
	// Allowed values are Ignore or Fail. Defaults to Fail.
	// +optional
	FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`

	// ValidationFailureAction controls if a validation policy rule failure should disallow
	// the admission review request (enforce), or allow (audit) the admission review request
	// and report an error in a policy report. Optional. The default value is "audit".
	// +optional
	// +kubebuilder:validation:Enum=audit;enforce
	ValidationFailureAction ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`

	// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
	// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
	// +optional
	ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`

	// Background controls if rules are applied to existing resources during a background scan.
	// Optional. Default value is "true". The value must be set to "false" if the policy rule
	// uses variables that are only available in the admission review request (e.g. user name).
	// +optional
	Background *bool `json:"background,omitempty" yaml:"background,omitempty"`

	// SchemaValidation skips policy validation checks.
	// Optional. The default value is set to "true", it must be set to "false" to disable the validation checks.
	// +optional
	SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"`

	// WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
	// After the configured time expires, the admission request may fail, or may simply ignore the policy results,
	// based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
	WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"`

	// MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
	// Default value is "false".
	// +optional
	MutateExistingOnPolicyUpdate bool `json:"mutateExistingOnPolicyUpdate,omitempty" yaml:"mutateExistingOnPolicyUpdate,omitempty"`

	// GenerateExistingOnPolicyUpdate controls wether to trigger generate rule in existing resources
	// If is set to "true" generate rule will be triggered and applied to existing matched resources.
	// Defaults to "false" if not specified.
	// +optional
	GenerateExistingOnPolicyUpdate bool `json:"generateExistingOnPolicyUpdate,omitempty" yaml:"generateExistingOnPolicyUpdate,omitempty"`
}

Spec contains a list of Rule instances and other policy controls.

func (*Spec) BackgroundProcessingEnabled added in v1.7.0 

func (s *Spec) BackgroundProcessingEnabled() bool

BackgroundProcessingEnabled checks if background is set to true

func (*Spec) DeepCopy 

func (in *Spec) DeepCopy() *Spec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Spec.

func (*Spec) DeepCopyInto 

func (in *Spec) DeepCopyInto(out *Spec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Spec) GetFailurePolicy added in v1.7.0 

func (s *Spec) GetFailurePolicy() FailurePolicyType

GetFailurePolicy returns the failure policy to be applied

func (*Spec) GetMutateExistingOnPolicyUpdate added in v1.7.0 

func (s *Spec) GetMutateExistingOnPolicyUpdate() bool

GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value

func (*Spec) GetValidationFailureAction added in v1.7.0 

func (s *Spec) GetValidationFailureAction() ValidationFailureAction

GetValidationFailureAction returns the validation failure action to be applied

func (*Spec) HasGenerate added in v1.7.0 

func (s *Spec) HasGenerate() bool

HasGenerate checks for generate rule types

func (*Spec) HasImagesValidationChecks added in v1.7.0 

func (s *Spec) HasImagesValidationChecks() bool

HasImagesValidationChecks checks for image verification rules invoked during resource validation

func (*Spec) HasMutate added in v1.7.0 

func (s *Spec) HasMutate() bool

HasMutate checks for mutate rule types

func (*Spec) HasMutateOrValidateOrGenerate added in v1.7.0 

func (s *Spec) HasMutateOrValidateOrGenerate() bool

HasMutateOrValidateOrGenerate checks for rule types

func (*Spec) HasValidate added in v1.7.0 

func (s *Spec) HasValidate() bool

HasValidate checks for validate rule types

func (*Spec) HasVerifyImages added in v1.7.0 

func (s *Spec) HasVerifyImages() bool

HasVerifyImages checks for image verification rules invoked during resource mutation

func (*Spec) IsGenerateExistingOnPolicyUpdate added in v1.7.0 

func (s *Spec) IsGenerateExistingOnPolicyUpdate() bool

IsGenerateExistingOnPolicyUpdate return GenerateExistingOnPolicyUpdate set value

func (*Spec) IsMutateExisting added in v1.7.0 

func (s *Spec) IsMutateExisting() bool

IsMutateExisting checks if the mutate policy applies to existing resources

func (*Spec) SetRules added in v1.7.0 

func (s *Spec) SetRules(rules []Rule)

func (*Spec) Validate added in v1.7.0 

func (s *Spec) Validate(path *field.Path, namespaced bool, clusterResources sets.String) (errs field.ErrorList)

Validate implements programmatic validation

func (*Spec) ValidateRuleNames added in v1.7.0 

func (s *Spec) ValidateRuleNames(path *field.Path) (errs field.ErrorList)

ValidateRuleNames checks if the rule names are unique across a policy

func (*Spec) ValidateRules added in v1.7.0 

func (s *Spec) ValidateRules(path *field.Path, namespaced bool, clusterResources sets.String) (errs field.ErrorList)

ValidateRules implements programmatic validation of Rules

type StaticKeyAttestor added in v1.7.0 

type StaticKeyAttestor struct {

	// Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
	// specified or can be a variable reference to a key specified in a ConfigMap (see
	// https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each
	// key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of
	// attestors and the count is applied across the keys.
	PublicKeys string `json:"publicKeys,omitempty" yaml:"publicKeys,omitempty"`

	// Rekor provides configuration for the Rekor transparency log service. If the value is nil,
	// Rekor is not checked. If an empty object is provided the public instance of
	// Rekor (https://rekor.sigstore.dev) is used.
	// +kubebuilder:validation:Optional
	Rekor *CTLog `json:"rekor,omitempty" yaml:"rekor,omitempty"`
}

func (*StaticKeyAttestor) DeepCopy added in v1.7.0 

func (in *StaticKeyAttestor) DeepCopy() *StaticKeyAttestor

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticKeyAttestor.

func (*StaticKeyAttestor) DeepCopyInto added in v1.7.0 

func (in *StaticKeyAttestor) DeepCopyInto(out *StaticKeyAttestor)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*StaticKeyAttestor) Validate added in v1.7.0 

func (ska *StaticKeyAttestor) Validate(path *field.Path) (errs field.ErrorList)

type UserInfo 

type UserInfo struct {
	// Roles is the list of namespaced role names for the user.
	// +optional
	Roles []string `json:"roles,omitempty" yaml:"roles,omitempty"`

	// ClusterRoles is the list of cluster-wide role names for the user.
	// +optional
	ClusterRoles []string `json:"clusterRoles,omitempty" yaml:"clusterRoles,omitempty"`

	// Subjects is the list of subject names like users, user groups, and service accounts.
	// +optional
	Subjects []rbacv1.Subject `json:"subjects,omitempty" yaml:"subjects,omitempty"`
}

UserInfo contains information about the user performing the operation.

func (*UserInfo) DeepCopy 

func (in *UserInfo) DeepCopy() *UserInfo

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserInfo.

func (*UserInfo) DeepCopyInto 

func (in *UserInfo) DeepCopyInto(out *UserInfo)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*UserInfo) Validate added in v1.7.0 

func (u *UserInfo) Validate(path *field.Path) (errs field.ErrorList)

Validate implements programmatic validation

func (*UserInfo) ValidateRoles added in v1.7.0 

func (u *UserInfo) ValidateRoles(path *field.Path) (errs field.ErrorList)

ValidateRoles implements programmatic validation of Roles

func (*UserInfo) ValidateSubjects added in v1.7.0 

func (u *UserInfo) ValidateSubjects(path *field.Path) (errs field.ErrorList)

ValidateSubjects implements programmatic validation of Subjects

type Validation 

type Validation struct {
	// Message specifies a custom message to be displayed on failure.
	// +optional
	Message string `json:"message,omitempty" yaml:"message,omitempty"`

	// ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.
	// +optional
	ForEachValidation []ForEachValidation `json:"foreach,omitempty" yaml:"foreach,omitempty"`

	// Pattern specifies an overlay-style pattern used to check resources.
	// +optional
	RawPattern *apiextv1.JSON `json:"pattern,omitempty" yaml:"pattern,omitempty"`

	// AnyPattern specifies list of validation patterns. At least one of the patterns
	// must be satisfied for the validation rule to succeed.
	// +optional
	RawAnyPattern *apiextv1.JSON `json:"anyPattern,omitempty" yaml:"anyPattern,omitempty"`

	// Deny defines conditions used to pass or fail a validation rule.
	// +optional
	Deny *Deny `json:"deny,omitempty" yaml:"deny,omitempty"`
}

Validation defines checks to be performed on matching resources.

func (*Validation) DeepCopy 

func (in *Validation) DeepCopy() *Validation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Validation.

func (*Validation) DeepCopyInto 

func (in *Validation) DeepCopyInto(out *Validation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Validation) DeserializeAnyPattern 

func (in *Validation) DeserializeAnyPattern() ([]interface{}, error)

DeserializeAnyPattern deserialize apiextensions.JSON to []interface{}

func (*Validation) GetAnyPattern added in v1.7.0 

func (v *Validation) GetAnyPattern() apiextensions.JSON

func (*Validation) GetPattern added in v1.7.0 

func (v *Validation) GetPattern() apiextensions.JSON

func (*Validation) SetAnyPattern added in v1.7.0 

func (v *Validation) SetAnyPattern(in apiextensions.JSON)

func (*Validation) SetPattern added in v1.7.0 

func (v *Validation) SetPattern(in apiextensions.JSON)

type ValidationFailureAction added in v1.7.0 

type ValidationFailureAction string

ValidationFailureAction defines the policy validation failure action 

const (
	// Enforce blocks the request on failure
	Enforce ValidationFailureAction = "enforce"
	// Audit indicates not to block the request on failure, but report failures as policy violations
	Audit ValidationFailureAction = "audit"
)

Policy Reporting Modes

type ValidationFailureActionOverride 

type ValidationFailureActionOverride struct {
	// +kubebuilder:validation:Enum=audit;enforce
	Action     ValidationFailureAction `json:"action,omitempty" yaml:"action,omitempty"`
	Namespaces []string                `json:"namespaces,omitempty" yaml:"namespaces,omitempty"`
}

func (*ValidationFailureActionOverride) DeepCopy added in v1.7.0 

func (in *ValidationFailureActionOverride) DeepCopy() *ValidationFailureActionOverride

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidationFailureActionOverride.

func (*ValidationFailureActionOverride) DeepCopyInto added in v1.7.0 

func (in *ValidationFailureActionOverride) DeepCopyInto(out *ValidationFailureActionOverride)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Variable added in v1.7.0 

type Variable struct {
	// Value is any arbitrary JSON object representable in YAML or JSON form.
	// +optional
	Value *apiextv1.JSON `json:"value,omitempty" yaml:"value,omitempty"`

	// JMESPath is an optional JMESPath Expression that can be used to
	// transform the variable.
	// +optional
	JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`

	// Default is an optional arbitrary JSON object that the variable may take if the JMESPath
	// expression evaluates to nil
	// +optional
	Default *apiextv1.JSON `json:"default,omitempty" yaml:"default,omitempty"`
}

Variable defines an arbitrary JMESPath context variable that can be defined inline.

func (*Variable) DeepCopy added in v1.7.0 

func (in *Variable) DeepCopy() *Variable

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Variable.

func (*Variable) DeepCopyInto added in v1.7.0 

func (in *Variable) DeepCopyInto(out *Variable)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ViolatedRule 

type ViolatedRule struct {
	// Name specifies violated rule name.
	Name string `json:"name" yaml:"name"`

	// Type specifies violated rule type.
	Type string `json:"type" yaml:"type"`

	// Message specifies violation message.
	// +optional
	Message string `json:"message" yaml:"message"`

	// Status shows the rule response status
	Status string `json:"status" yaml:"status"`
}

ViolatedRule stores the information regarding the rule.

func (*ViolatedRule) DeepCopy 

func (in *ViolatedRule) DeepCopy() *ViolatedRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ViolatedRule.

func (*ViolatedRule) DeepCopyInto 

func (in *ViolatedRule) DeepCopyInto(out *ViolatedRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.