Documentation
¶
Index ¶
- Variables
- func Kind(kind string) schema.GroupKind
- func Resource(resource string) schema.GroupResource
- type AnyAllConditions
- type ClusterPolicy
- func (p *ClusterPolicy) BackgroundProcessingEnabled() bool
- func (in *ClusterPolicy) DeepCopy() *ClusterPolicy
- func (in *ClusterPolicy) DeepCopyInto(out *ClusterPolicy)
- func (in *ClusterPolicy) DeepCopyObject() runtime.Object
- func (p *ClusterPolicy) GetKind() string
- func (p *ClusterPolicy) GetSpec() *Spec
- func (p *ClusterPolicy) HasAutoGenAnnotation() bool
- func (p *ClusterPolicy) HasGenerate() bool
- func (p *ClusterPolicy) HasMutate() bool
- func (p *ClusterPolicy) HasMutateOrValidateOrGenerate() bool
- func (p *ClusterPolicy) HasValidate() bool
- func (p *ClusterPolicy) HasVerifyImages() bool
- func (p *ClusterPolicy) HasYAMLSignatureVerify() bool
- func (p *ClusterPolicy) IsNamespaced() bool
- func (p *ClusterPolicy) IsReady() bool
- func (p *ClusterPolicy) Validate(clusterResources sets.String) (errs field.ErrorList)
- type ClusterPolicyList
- type Condition
- type ConditionOperator
- type Deny
- type ImageVerification
- type MatchResources
- type Policy
- func (p *Policy) BackgroundProcessingEnabled() bool
- func (in *Policy) DeepCopy() *Policy
- func (in *Policy) DeepCopyInto(out *Policy)
- func (in *Policy) DeepCopyObject() runtime.Object
- func (p *Policy) GetKind() string
- func (p *Policy) GetSpec() *Spec
- func (p *Policy) HasAutoGenAnnotation() bool
- func (p *Policy) HasGenerate() bool
- func (p *Policy) HasMutate() bool
- func (p *Policy) HasMutateOrValidateOrGenerate() bool
- func (p *Policy) HasValidate() bool
- func (p *Policy) HasVerifyImages() bool
- func (p *Policy) IsNamespaced() bool
- func (p *Policy) Validate(clusterResources sets.String) (errs field.ErrorList)
- type PolicyList
- type ResourceDescription
- type ResourceFilter
- type ResourceFilters
- type Rule
- func (in *Rule) DeepCopy() *Rule
- func (in *Rule) DeepCopyInto(out *Rule)
- func (r *Rule) GetCloneSyncForGenerate() (clone bool, sync bool)
- func (r *Rule) HasGenerate() bool
- func (r *Rule) HasImagesValidationChecks() bool
- func (r *Rule) HasMutate() bool
- func (r *Rule) HasValidate() bool
- func (r *Rule) HasVerifyImages() bool
- func (r Rule) HasYAMLSignatureVerify() bool
- func (r *Rule) IsMutateExisting() bool
- func (r *Rule) Validate(path *field.Path, namespaced bool, clusterResources sets.String) (errs field.ErrorList)
- func (r *Rule) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorList)
- func (r *Rule) ValidateRuleType(path *field.Path) (errs field.ErrorList)
- type Spec
- func (s *Spec) BackgroundProcessingEnabled() bool
- func (in *Spec) DeepCopy() *Spec
- func (in *Spec) DeepCopyInto(out *Spec)
- func (s *Spec) GetApplyRules() kyvernov1.ApplyRulesType
- func (s *Spec) GetFailurePolicy() kyvernov1.FailurePolicyType
- func (s *Spec) GetMutateExistingOnPolicyUpdate() bool
- func (s *Spec) GetValidationFailureAction() kyvernov1.ValidationFailureAction
- func (s *Spec) HasGenerate() bool
- func (s *Spec) HasImagesValidationChecks() bool
- func (s *Spec) HasMutate() bool
- func (s *Spec) HasMutateOrValidateOrGenerate() bool
- func (s *Spec) HasValidate() bool
- func (s *Spec) HasVerifyImages() bool
- func (s *Spec) HasYAMLSignatureVerify() bool
- func (s *Spec) IsGenerateExistingOnPolicyUpdate() bool
- func (s *Spec) IsMutateExisting() bool
- func (s *Spec) SetRules(rules []Rule)
- func (s *Spec) Validate(path *field.Path, namespaced bool, clusterResources sets.String) (errs field.ErrorList)
- func (s *Spec) ValidateRuleNames(path *field.Path) (errs field.ErrorList)
- func (s *Spec) ValidateRules(path *field.Path, namespaced bool, clusterResources sets.String) (errs field.ErrorList)
- type Validation
Constants ¶
This section is empty.
Variables ¶
var ( // SchemeBuilder builds the scheme SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) // AddToScheme adds all types of this clientset into the given scheme AddToScheme = SchemeBuilder.AddToScheme )
var ConditionOperators = map[string]ConditionOperator{ "Equals": ConditionOperator("Equals"), "NotEquals": ConditionOperator("NotEquals"), "AnyIn": ConditionOperator("AnyIn"), "AllIn": ConditionOperator("AllIn"), "AnyNotIn": ConditionOperator("AnyNotIn"), "AllNotIn": ConditionOperator("AllNotIn"), "GreaterThanOrEquals": ConditionOperator("GreaterThanOrEquals"), "GreaterThan": ConditionOperator("GreaterThan"), "LessThanOrEquals": ConditionOperator("LessThanOrEquals"), "LessThan": ConditionOperator("LessThan"), "DurationGreaterThanOrEquals": ConditionOperator("DurationGreaterThanOrEquals"), "DurationGreaterThan": ConditionOperator("DurationGreaterThan"), "DurationLessThanOrEquals": ConditionOperator("DurationLessThanOrEquals"), "DurationLessThan": ConditionOperator("DurationLessThan"), }
ConditionOperators stores all the valid ConditionOperator types as key-value pairs. "Equals" evaluates if the key is equal to the value. "NotEquals" evaluates if the key is not equal to the value. "AnyIn" evaluates if any of the keys are contained in the set of values. "AllIn" evaluates if all the keys are contained in the set of values. "AnyNotIn" evaluates if any of the keys are not contained in the set of values. "AllNotIn" evaluates if all the keys are not contained in the set of values. "GreaterThanOrEquals" evaluates if the key (numeric) is greater than or equal to the value (numeric). "GreaterThan" evaluates if the key (numeric) is greater than the value (numeric). "LessThanOrEquals" evaluates if the key (numeric) is less than or equal to the value (numeric). "LessThan" evaluates if the key (numeric) is less than the value (numeric). "DurationGreaterThanOrEquals" evaluates if the key (duration) is greater than or equal to the value (duration) "DurationGreaterThan" evaluates if the key (duration) is greater than the value (duration) "DurationLessThanOrEquals" evaluates if the key (duration) is less than or equal to the value (duration) "DurationLessThan" evaluates if the key (duration) is greater than the value (duration)
var SchemeGroupVersion = schema.GroupVersion{Group: kyverno.GroupName, Version: "v2beta1"}
SchemeGroupVersion is group version used to register these objects
Functions ¶
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource
Types ¶
type AnyAllConditions ¶
type AnyAllConditions struct { // AnyConditions enable variable-based conditional rule execution. This is useful for // finer control of when an rule is applied. A condition can reference object data // using JMESPath notation. // Here, at least one of the conditions need to pass // +optional AnyConditions []Condition `json:"any,omitempty" yaml:"any,omitempty"` // AllConditions enable variable-based conditional rule execution. This is useful for // finer control of when an rule is applied. A condition can reference object data // using JMESPath notation. // Here, all of the conditions need to pass // +optional AllConditions []Condition `json:"all,omitempty" yaml:"all,omitempty"` }
func (*AnyAllConditions) DeepCopy ¶
func (in *AnyAllConditions) DeepCopy() *AnyAllConditions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AnyAllConditions.
func (*AnyAllConditions) DeepCopyInto ¶
func (in *AnyAllConditions) DeepCopyInto(out *AnyAllConditions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ClusterPolicy ¶
type ClusterPolicy struct { metav1.TypeMeta `json:",inline,omitempty" yaml:",inline,omitempty"` metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"` // Spec declares policy behaviors. Spec Spec `json:"spec" yaml:"spec"` // Status contains policy runtime data. // +optional Status kyvernov1.PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"` }
ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.
func (*ClusterPolicy) BackgroundProcessingEnabled ¶
func (p *ClusterPolicy) BackgroundProcessingEnabled() bool
BackgroundProcessingEnabled checks if background is set to true
func (*ClusterPolicy) DeepCopy ¶
func (in *ClusterPolicy) DeepCopy() *ClusterPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicy.
func (*ClusterPolicy) DeepCopyInto ¶
func (in *ClusterPolicy) DeepCopyInto(out *ClusterPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterPolicy) DeepCopyObject ¶
func (in *ClusterPolicy) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*ClusterPolicy) GetKind ¶
func (p *ClusterPolicy) GetKind() string
func (*ClusterPolicy) GetSpec ¶
func (p *ClusterPolicy) GetSpec() *Spec
GetSpec returns the policy spec
func (*ClusterPolicy) HasAutoGenAnnotation ¶
func (p *ClusterPolicy) HasAutoGenAnnotation() bool
HasAutoGenAnnotation checks if a policy has auto-gen annotation
func (*ClusterPolicy) HasGenerate ¶
func (p *ClusterPolicy) HasGenerate() bool
HasGenerate checks for generate rule types
func (*ClusterPolicy) HasMutate ¶
func (p *ClusterPolicy) HasMutate() bool
HasMutate checks for mutate rule types
func (*ClusterPolicy) HasMutateOrValidateOrGenerate ¶
func (p *ClusterPolicy) HasMutateOrValidateOrGenerate() bool
HasMutateOrValidateOrGenerate checks for rule types
func (*ClusterPolicy) HasValidate ¶
func (p *ClusterPolicy) HasValidate() bool
HasValidate checks for validate rule types
func (*ClusterPolicy) HasVerifyImages ¶
func (p *ClusterPolicy) HasVerifyImages() bool
HasVerifyImages checks for image verification rule types
func (*ClusterPolicy) HasYAMLSignatureVerify ¶
func (p *ClusterPolicy) HasYAMLSignatureVerify() bool
HasYAMLSignatureVerify checks for validate rule
func (*ClusterPolicy) IsNamespaced ¶
func (p *ClusterPolicy) IsNamespaced() bool
IsNamespaced indicates if the policy is namespace scoped
func (*ClusterPolicy) IsReady ¶
func (p *ClusterPolicy) IsReady() bool
IsReady indicates if the policy is ready to serve the admission request
type ClusterPolicyList ¶
type ClusterPolicyList struct { metav1.TypeMeta `json:",inline" yaml:",inline"` metav1.ListMeta `json:"metadata" yaml:"metadata"` Items []ClusterPolicy `json:"items" yaml:"items"` }
ClusterPolicyList is a list of ClusterPolicy instances.
func (*ClusterPolicyList) DeepCopy ¶
func (in *ClusterPolicyList) DeepCopy() *ClusterPolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicyList.
func (*ClusterPolicyList) DeepCopyInto ¶
func (in *ClusterPolicyList) DeepCopyInto(out *ClusterPolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterPolicyList) DeepCopyObject ¶
func (in *ClusterPolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type Condition ¶
type Condition struct { // Key is the context entry (using JMESPath) for conditional rule evaluation. RawKey *apiextv1.JSON `json:"key,omitempty" yaml:"key,omitempty"` // Operator is the conditional operation to perform. Valid operators are: // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, // GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, // DurationLessThanOrEquals, DurationLessThan Operator ConditionOperator `json:"operator,omitempty" yaml:"operator,omitempty"` // Value is the conditional value, or set of values. The values can be fixed set // or can be variables declared using JMESPath. // +optional RawValue *apiextv1.JSON `json:"value,omitempty" yaml:"value,omitempty"` }
func (*Condition) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.
func (*Condition) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ConditionOperator ¶
type ConditionOperator string
ConditionOperator is the operation performed on condition key and value. +kubebuilder:validation:Enum=Equals;NotEquals;AnyIn;AllIn;AnyNotIn;AllNotIn;GreaterThanOrEquals;GreaterThan;LessThanOrEquals;LessThan;DurationGreaterThanOrEquals;DurationGreaterThan;DurationLessThanOrEquals;DurationLessThan
type Deny ¶
type Deny struct { // Multiple conditions can be declared under an `any` or `all` statement. A direct list // of conditions (without `any` or `all` statements) is also supported for backwards compatibility // See: https://kyverno.io/docs/writing-policies/validate/#deny-rules RawAnyAllConditions *AnyAllConditions `json:"conditions,omitempty" yaml:"conditions,omitempty"` }
Deny specifies a list of conditions used to pass or fail a validation rule.
func (*Deny) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Deny.
func (*Deny) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ImageVerification ¶
type ImageVerification struct { // ImageReferences is a list of matching image reference patterns. At least one pattern in the // list must match the image for the rule to apply. Each image reference consists of a registry // address (defaults to docker.io), repository, image, and tag (defaults to latest). // Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. // +kubebuilder:validation:Optional ImageReferences []string `json:"imageReferences,omitempty" yaml:"imageReferences,omitempty"` // Attestors specified the required attestors (i.e. authorities) // +kubebuilder:validation:Optional Attestors []kyvernov1.AttestorSet `json:"attestors,omitempty" yaml:"attestors,omitempty"` // Attestations are optional checks for signed in-toto Statements used to verify the image. // See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the // OCI registry and decodes them into a list of Statement declarations. Attestations []kyvernov1.Attestation `json:"attestations,omitempty" yaml:"attestations,omitempty"` // Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. // If specified Repository will override the default OCI image repository configured for the installation. // The repository can also be overridden per Attestor or Attestation. Repository string `json:"repository,omitempty" yaml:"repository,omitempty"` // MutateDigest enables replacement of image tags with digests. // Defaults to true. // +kubebuilder:default=true // +kubebuilder:validation:Optional MutateDigest bool `json:"mutateDigest" yaml:"mutateDigest"` // VerifyDigest validates that images have a digest. // +kubebuilder:default=true // +kubebuilder:validation:Optional VerifyDigest bool `json:"verifyDigest" yaml:"verifyDigest"` // Required validates that images are verified i.e. have matched passed a signature or attestation check. // +kubebuilder:default=true // +kubebuilder:validation:Optional Required bool `json:"required" yaml:"required"` }
ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration.
func (*ImageVerification) DeepCopy ¶
func (in *ImageVerification) DeepCopy() *ImageVerification
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageVerification.
func (*ImageVerification) DeepCopyInto ¶
func (in *ImageVerification) DeepCopyInto(out *ImageVerification)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type MatchResources ¶
type MatchResources struct { // Any allows specifying resources which will be ORed // +optional Any kyvernov1.ResourceFilters `json:"any,omitempty" yaml:"any,omitempty"` // All allows specifying resources which will be ANDed // +optional All kyvernov1.ResourceFilters `json:"all,omitempty" yaml:"all,omitempty"` }
MatchResources is used to specify resource and admission review request data for which a policy rule is applicable.
func (*MatchResources) DeepCopy ¶
func (in *MatchResources) DeepCopy() *MatchResources
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResources.
func (*MatchResources) DeepCopyInto ¶
func (in *MatchResources) DeepCopyInto(out *MatchResources)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*MatchResources) GetKinds ¶
func (m *MatchResources) GetKinds() []string
GetKinds returns all kinds
type Policy ¶
type Policy struct { metav1.TypeMeta `json:",inline,omitempty" yaml:",inline,omitempty"` metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"` // Spec defines policy behaviors and contains one or more rules. Spec Spec `json:"spec" yaml:"spec"` }
Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.
func (*Policy) BackgroundProcessingEnabled ¶
BackgroundProcessingEnabled checks if background is set to true
func (*Policy) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
func (*Policy) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Policy) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*Policy) HasAutoGenAnnotation ¶
HasAutoGenAnnotation checks if a policy has auto-gen annotation
func (*Policy) HasGenerate ¶
HasGenerate checks for generate rule types
func (*Policy) HasMutateOrValidateOrGenerate ¶
HasMutateOrValidateOrGenerate checks for rule types
func (*Policy) HasValidate ¶
HasValidate checks for validate rule types
func (*Policy) HasVerifyImages ¶
HasVerifyImages checks for image verification rule types
func (*Policy) IsNamespaced ¶
IsNamespaced indicates if the policy is namespace scoped
type PolicyList ¶
type PolicyList struct { metav1.TypeMeta `json:",inline" yaml:",inline"` metav1.ListMeta `json:"metadata" yaml:"metadata"` Items []Policy `json:"items" yaml:"items"` }
PolicyList is a list of Policy instances.
func (*PolicyList) DeepCopy ¶
func (in *PolicyList) DeepCopy() *PolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyList.
func (*PolicyList) DeepCopyInto ¶
func (in *PolicyList) DeepCopyInto(out *PolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PolicyList) DeepCopyObject ¶
func (in *PolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type ResourceDescription ¶
type ResourceDescription struct { // Kinds is a list of resource kinds. // +optional Kinds []string `json:"kinds,omitempty" yaml:"kinds,omitempty"` // Names are the names of the resources. Each name supports wildcard characters // "*" (matches zero or many characters) and "?" (at least one character). // +optional Names []string `json:"names,omitempty" yaml:"names,omitempty"` // Namespaces is a list of namespaces names. Each name supports wildcard characters // "*" (matches zero or many characters) and "?" (at least one character). // +optional Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"` // Annotations is a map of annotations (key-value pairs of type string). Annotation keys // and values support the wildcard characters "*" (matches zero or many characters) and // "?" (matches at least one character). // +optional Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"` // Selector is a label selector. Label keys and values in `matchLabels` support the wildcard // characters `*` (matches zero or many characters) and `?` (matches one character). // Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that // using ["*" : "*"] matches any key and value but does not match an empty label set. // +optional Selector *metav1.LabelSelector `json:"selector,omitempty" yaml:"selector,omitempty"` // NamespaceSelector is a label selector for the resource namespace. Label keys and values // in `matchLabels` support the wildcard characters `*` (matches zero or many characters) // and `?` (matches one character).Wildcards allows writing label selectors like // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but // does not match an empty label set. // +optional NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" yaml:"namespaceSelector,omitempty"` }
ResourceDescription contains criteria used to match resources.
func (*ResourceDescription) DeepCopy ¶
func (in *ResourceDescription) DeepCopy() *ResourceDescription
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceDescription.
func (*ResourceDescription) DeepCopyInto ¶
func (in *ResourceDescription) DeepCopyInto(out *ResourceDescription)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ResourceFilter ¶
type ResourceFilter struct { // UserInfo contains information about the user performing the operation. // +optional kyvernov1.UserInfo `json:",omitempty" yaml:",omitempty"` // ResourceDescription contains information about the resource being created or modified. ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"` }
ResourceFilter allow users to "AND" or "OR" between resources
func (*ResourceFilter) DeepCopy ¶
func (in *ResourceFilter) DeepCopy() *ResourceFilter
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceFilter.
func (*ResourceFilter) DeepCopyInto ¶
func (in *ResourceFilter) DeepCopyInto(out *ResourceFilter)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ResourceFilters ¶
type ResourceFilters []ResourceFilter
ResourceFilters is a slice of ResourceFilter
func (ResourceFilters) DeepCopy ¶
func (in ResourceFilters) DeepCopy() ResourceFilters
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceFilters.
func (ResourceFilters) DeepCopyInto ¶
func (in ResourceFilters) DeepCopyInto(out *ResourceFilters)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Rule ¶
type Rule struct { // Name is a label to identify the rule, It must be unique within the policy. // +kubebuilder:validation:MaxLength=63 Name string `json:"name,omitempty" yaml:"name,omitempty"` // Context defines variables and data sources that can be used during rule execution. // +optional Context []kyvernov1.ContextEntry `json:"context,omitempty" yaml:"context,omitempty"` // MatchResources defines when this policy rule should be applied. The match // criteria can include resource information (e.g. kind, name, namespace, labels) // and admission review request information like the user name or role. // At least one kind is required. MatchResources MatchResources `json:"match,omitempty" yaml:"match,omitempty"` // ExcludeResources defines when this policy rule should not be applied. The exclude // criteria can include resource information (e.g. kind, name, namespace, labels) // and admission review request information like the name or role. // +optional ExcludeResources MatchResources `json:"exclude,omitempty" yaml:"exclude,omitempty"` // ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. // This config is only valid for verifyImages rules. // +optional ImageExtractors kyvernov1.ImageExtractorConfigs `json:"imageExtractors,omitempty" yaml:"imageExtractors,omitempty"` // Preconditions are used to determine if a policy rule should be applied by evaluating a // set of conditions. The declaration can contain nested `any` or `all` statements. A direct list // of conditions (without `any` or `all` statements is supported for backwards compatibility but // See: https://kyverno.io/docs/writing-policies/preconditions/ // +optional RawAnyAllConditions *AnyAllConditions `json:"preconditions,omitempty" yaml:"preconditions,omitempty"` // Mutation is used to modify matching resources. // +optional Mutation kyvernov1.Mutation `json:"mutate,omitempty" yaml:"mutate,omitempty"` // Validation is used to validate matching resources. // +optional Validation Validation `json:"validate,omitempty" yaml:"validate,omitempty"` // Generation is used to create new resources. // +optional Generation kyvernov1.Generation `json:"generate,omitempty" yaml:"generate,omitempty"` // VerifyImages is used to verify image signatures and mutate them to add a digest // +optional VerifyImages []ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"` }
Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude.
func (*Rule) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.
func (*Rule) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Rule) GetCloneSyncForGenerate ¶
IsCloneSyncGenerate checks if the generate rule has the clone block with sync=true
func (*Rule) HasImagesValidationChecks ¶
HasImagesValidationChecks checks whether the verifyImages rule has validation checks
func (*Rule) HasVerifyImages ¶
HasVerifyImages checks for verifyImages rule
func (Rule) HasYAMLSignatureVerify ¶
HasYAMLSignatureVerify checks for validate.manifests rule
func (*Rule) IsMutateExisting ¶
IsMutateExisting checks if the mutate rule applies to existing resources
func (*Rule) Validate ¶
func (r *Rule) Validate(path *field.Path, namespaced bool, clusterResources sets.String) (errs field.ErrorList)
Validate implements programmatic validation
func (*Rule) ValidateMatchExcludeConflict ¶
ValidateMatchExcludeConflict checks if the resultant of match and exclude block is not an empty set
type Spec ¶
type Spec struct { // Rules is a list of Rule instances. A Policy contains multiple rules and // each rule can validate, mutate, or generate resources. Rules []Rule `json:"rules,omitempty" yaml:"rules,omitempty"` // ApplyRules controls how rules in a policy are applied. Rule are processed in // the order of declaration. When set to `One` processing stops after a rule has // been applied i.e. the rule matches and results in a pass, fail, or error. When // set to `All` all rules in the policy are processed. The default is `All`. // +optional ApplyRules *kyvernov1.ApplyRulesType `json:"applyRules,omitempty" yaml:"applyRules,omitempty"` // FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. // Rules within the same policy share the same failure behavior. // Allowed values are Ignore or Fail. Defaults to Fail. // +optional FailurePolicy *kyvernov1.FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"` // ValidationFailureAction defines if a validation policy rule violation should block // the admission review request (enforce), or allow (audit) the admission review request // and report an error in a policy report. Optional. // Allowed values are audit or enforce. The default value is "audit". // +optional // +kubebuilder:validation:Enum=audit;enforce ValidationFailureAction kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` // ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction // namespace-wise. It overrides ValidationFailureAction for the specified namespaces. // +optional ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"` // Background controls if rules are applied to existing resources during a background scan. // Optional. Default value is "true". The value must be set to "false" if the policy rule // uses variables that are only available in the admission review request (e.g. user name). // +optional Background *bool `json:"background,omitempty" yaml:"background,omitempty"` // SchemaValidation skips policy validation checks. // Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. // +optional SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"` // WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. // After the configured time expires, the admission request may fail, or may simply ignore the policy results, // based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"` // MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. // Default value is "false". // +optional MutateExistingOnPolicyUpdate bool `json:"mutateExistingOnPolicyUpdate,omitempty" yaml:"mutateExistingOnPolicyUpdate,omitempty"` // GenerateExistingOnPolicyUpdate controls whether to trigger generate rule in existing resources // If is set to "true" generate rule will be triggered and applied to existing matched resources. // Defaults to "false" if not specified. // +optional GenerateExistingOnPolicyUpdate bool `json:"generateExistingOnPolicyUpdate,omitempty" yaml:"generateExistingOnPolicyUpdate,omitempty"` }
Spec contains a list of Rule instances and other policy controls.
func (*Spec) BackgroundProcessingEnabled ¶
BackgroundProcessingEnabled checks if background is set to true
func (*Spec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Spec.
func (*Spec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Spec) GetApplyRules ¶
func (s *Spec) GetApplyRules() kyvernov1.ApplyRulesType
GetFailurePolicy returns the failure policy to be applied
func (*Spec) GetFailurePolicy ¶
func (s *Spec) GetFailurePolicy() kyvernov1.FailurePolicyType
GetFailurePolicy returns the failure policy to be applied
func (*Spec) GetMutateExistingOnPolicyUpdate ¶
GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value
func (*Spec) GetValidationFailureAction ¶
func (s *Spec) GetValidationFailureAction() kyvernov1.ValidationFailureAction
GetValidationFailureAction returns the validation failure action to be applied
func (*Spec) HasGenerate ¶
HasGenerate checks for generate rule types
func (*Spec) HasImagesValidationChecks ¶
HasImagesValidationChecks checks for image verification rules invoked during resource validation
func (*Spec) HasMutateOrValidateOrGenerate ¶
HasMutateOrValidateOrGenerate checks for rule types
func (*Spec) HasValidate ¶
HasValidate checks for validate rule types
func (*Spec) HasVerifyImages ¶
HasVerifyImages checks for image verification rules invoked during resource mutation
func (*Spec) HasYAMLSignatureVerify ¶
HasYAMLSignatureVerify checks for image verification rules invoked during resource mutation
func (*Spec) IsGenerateExistingOnPolicyUpdate ¶
IsGenerateExistingOnPolicyUpdate return GenerateExistingOnPolicyUpdate set value
func (*Spec) IsMutateExisting ¶
IsMutateExisting checks if the mutate policy applies to existing resources
func (*Spec) Validate ¶
func (s *Spec) Validate(path *field.Path, namespaced bool, clusterResources sets.String) (errs field.ErrorList)
Validate implements programmatic validation
func (*Spec) ValidateRuleNames ¶
ValidateRuleNames checks if the rule names are unique across a policy
type Validation ¶
type Validation struct { // Message specifies a custom message to be displayed on failure. // +optional Message string `json:"message,omitempty" yaml:"message,omitempty"` // Manifest specifies conditions for manifest verification // +optional Manifests *kyvernov1.Manifests `json:"manifests,omitempty" yaml:"manifests,omitempty"` // ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. // +optional ForEachValidation []kyvernov1.ForEachValidation `json:"foreach,omitempty" yaml:"foreach,omitempty"` // Pattern specifies an overlay-style pattern used to check resources. // +optional RawPattern *apiextv1.JSON `json:"pattern,omitempty" yaml:"pattern,omitempty"` // AnyPattern specifies list of validation patterns. At least one of the patterns // must be satisfied for the validation rule to succeed. // +optional RawAnyPattern *apiextv1.JSON `json:"anyPattern,omitempty" yaml:"anyPattern,omitempty"` // Deny defines conditions used to pass or fail a validation rule. // +optional Deny *Deny `json:"deny,omitempty" yaml:"deny,omitempty"` // PodSecurity applies exemptions for Kubernetes Pod Security admission // by specifying exclusions for Pod Security Standards controls. // +optional PodSecurity *kyvernov1.PodSecurity `json:"podSecurity,omitempty" yaml:"podSecurity,omitempty"` }
Validation defines checks to be performed on matching resources.
func (*Validation) DeepCopy ¶
func (in *Validation) DeepCopy() *Validation
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Validation.
func (*Validation) DeepCopyInto ¶
func (in *Validation) DeepCopyInto(out *Validation)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.