v2beta1

package
v1.8.5-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 19, 2022 License: Apache-2.0 Imports: 12 Imported by: 6

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// SchemeBuilder builds the scheme
	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)

	// AddToScheme adds all types of this clientset into the given scheme
	AddToScheme = SchemeBuilder.AddToScheme
)
View Source 
var ConditionOperators = map[string]ConditionOperator{
	"Equals":                      ConditionOperator("Equals"),
	"NotEquals":                   ConditionOperator("NotEquals"),
	"AnyIn":                       ConditionOperator("AnyIn"),
	"AllIn":                       ConditionOperator("AllIn"),
	"AnyNotIn":                    ConditionOperator("AnyNotIn"),
	"AllNotIn":                    ConditionOperator("AllNotIn"),
	"GreaterThanOrEquals":         ConditionOperator("GreaterThanOrEquals"),
	"GreaterThan":                 ConditionOperator("GreaterThan"),
	"LessThanOrEquals":            ConditionOperator("LessThanOrEquals"),
	"LessThan":                    ConditionOperator("LessThan"),
	"DurationGreaterThanOrEquals": ConditionOperator("DurationGreaterThanOrEquals"),
	"DurationGreaterThan":         ConditionOperator("DurationGreaterThan"),
	"DurationLessThanOrEquals":    ConditionOperator("DurationLessThanOrEquals"),
	"DurationLessThan":            ConditionOperator("DurationLessThan"),
}

ConditionOperators stores all the valid ConditionOperator types as key-value pairs. "Equals" evaluates if the key is equal to the value. "NotEquals" evaluates if the key is not equal to the value. "AnyIn" evaluates if any of the keys are contained in the set of values. "AllIn" evaluates if all the keys are contained in the set of values. "AnyNotIn" evaluates if any of the keys are not contained in the set of values. "AllNotIn" evaluates if all the keys are not contained in the set of values. "GreaterThanOrEquals" evaluates if the key (numeric) is greater than or equal to the value (numeric). "GreaterThan" evaluates if the key (numeric) is greater than the value (numeric). "LessThanOrEquals" evaluates if the key (numeric) is less than or equal to the value (numeric). "LessThan" evaluates if the key (numeric) is less than the value (numeric). "DurationGreaterThanOrEquals" evaluates if the key (duration) is greater than or equal to the value (duration) "DurationGreaterThan" evaluates if the key (duration) is greater than the value (duration) "DurationLessThanOrEquals" evaluates if the key (duration) is less than or equal to the value (duration) "DurationLessThan" evaluates if the key (duration) is greater than the value (duration)

View Source 
var SchemeGroupVersion = schema.GroupVersion{Group: kyverno.GroupName, Version: "v2beta1"}

SchemeGroupVersion is group version used to register these objects

Functions

func Kind 

func Kind(kind string) schema.GroupKind

Kind takes an unqualified kind and returns back a Group qualified GroupKind

func Resource 

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

Types

type AnyAllConditions 

type AnyAllConditions struct {
	// AnyConditions enable variable-based conditional rule execution. This is useful for
	// finer control of when an rule is applied. A condition can reference object data
	// using JMESPath notation.
	// Here, at least one of the conditions need to pass
	// +optional
	AnyConditions []Condition `json:"any,omitempty" yaml:"any,omitempty"`

	// AllConditions enable variable-based conditional rule execution. This is useful for
	// finer control of when an rule is applied. A condition can reference object data
	// using JMESPath notation.
	// Here, all of the conditions need to pass
	// +optional
	AllConditions []Condition `json:"all,omitempty" yaml:"all,omitempty"`
}

func (*AnyAllConditions) DeepCopy 

func (in *AnyAllConditions) DeepCopy() *AnyAllConditions

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AnyAllConditions.

func (*AnyAllConditions) DeepCopyInto 

func (in *AnyAllConditions) DeepCopyInto(out *AnyAllConditions)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ClusterPolicy 

type ClusterPolicy struct {
	metav1.TypeMeta   `json:",inline,omitempty" yaml:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`

	// Spec declares policy behaviors.
	Spec Spec `json:"spec" yaml:"spec"`

	// Status contains policy runtime data.
	// +optional
	Status kyvernov1.PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
}

ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.

func (*ClusterPolicy) BackgroundProcessingEnabled 

func (p *ClusterPolicy) BackgroundProcessingEnabled() bool

BackgroundProcessingEnabled checks if background is set to true

func (*ClusterPolicy) DeepCopy 

func (in *ClusterPolicy) DeepCopy() *ClusterPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicy.

func (*ClusterPolicy) DeepCopyInto 

func (in *ClusterPolicy) DeepCopyInto(out *ClusterPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterPolicy) DeepCopyObject 

func (in *ClusterPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ClusterPolicy) GetKind 

func (p *ClusterPolicy) GetKind() string

func (*ClusterPolicy) GetSpec 

func (p *ClusterPolicy) GetSpec() *Spec

GetSpec returns the policy spec

func (*ClusterPolicy) HasAutoGenAnnotation 

func (p *ClusterPolicy) HasAutoGenAnnotation() bool

HasAutoGenAnnotation checks if a policy has auto-gen annotation

func (*ClusterPolicy) HasGenerate 

func (p *ClusterPolicy) HasGenerate() bool

HasGenerate checks for generate rule types

func (*ClusterPolicy) HasMutate 

func (p *ClusterPolicy) HasMutate() bool

HasMutate checks for mutate rule types

func (*ClusterPolicy) HasMutateOrValidateOrGenerate 

func (p *ClusterPolicy) HasMutateOrValidateOrGenerate() bool

HasMutateOrValidateOrGenerate checks for rule types

func (*ClusterPolicy) HasValidate 

func (p *ClusterPolicy) HasValidate() bool

HasValidate checks for validate rule types

func (*ClusterPolicy) HasVerifyImages 

func (p *ClusterPolicy) HasVerifyImages() bool

HasVerifyImages checks for image verification rule types

func (*ClusterPolicy) HasYAMLSignatureVerify 

func (p *ClusterPolicy) HasYAMLSignatureVerify() bool

HasYAMLSignatureVerify checks for validate rule

func (*ClusterPolicy) IsNamespaced 

func (p *ClusterPolicy) IsNamespaced() bool

IsNamespaced indicates if the policy is namespace scoped

func (*ClusterPolicy) IsReady 

func (p *ClusterPolicy) IsReady() bool

IsReady indicates if the policy is ready to serve the admission request

func (*ClusterPolicy) Validate 

func (p *ClusterPolicy) Validate(clusterResources sets.String) (errs field.ErrorList)

Validate implements programmatic validation namespaced means that the policy is bound to a namespace and therefore should not filter/generate cluster wide resources.

type ClusterPolicyList 

type ClusterPolicyList struct {
	metav1.TypeMeta `json:",inline" yaml:",inline"`
	metav1.ListMeta `json:"metadata" yaml:"metadata"`
	Items           []ClusterPolicy `json:"items" yaml:"items"`
}

ClusterPolicyList is a list of ClusterPolicy instances.

func (*ClusterPolicyList) DeepCopy 

func (in *ClusterPolicyList) DeepCopy() *ClusterPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicyList.

func (*ClusterPolicyList) DeepCopyInto 

func (in *ClusterPolicyList) DeepCopyInto(out *ClusterPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterPolicyList) DeepCopyObject 

func (in *ClusterPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type Condition 

type Condition struct {
	// Key is the context entry (using JMESPath) for conditional rule evaluation.
	RawKey *apiextv1.JSON `json:"key,omitempty" yaml:"key,omitempty"`

	// Operator is the conditional operation to perform. Valid operators are:
	// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
	// GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
	// DurationLessThanOrEquals, DurationLessThan
	Operator ConditionOperator `json:"operator,omitempty" yaml:"operator,omitempty"`

	// Value is the conditional value, or set of values. The values can be fixed set
	// or can be variables declared using JMESPath.
	// +optional
	RawValue *apiextv1.JSON `json:"value,omitempty" yaml:"value,omitempty"`
}

func (*Condition) DeepCopy 

func (in *Condition) DeepCopy() *Condition

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.

func (*Condition) DeepCopyInto 

func (in *Condition) DeepCopyInto(out *Condition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ConditionOperator 

type ConditionOperator string

ConditionOperator is the operation performed on condition key and value. +kubebuilder:validation:Enum=Equals;NotEquals;AnyIn;AllIn;AnyNotIn;AllNotIn;GreaterThanOrEquals;GreaterThan;LessThanOrEquals;LessThan;DurationGreaterThanOrEquals;DurationGreaterThan;DurationLessThanOrEquals;DurationLessThan

type Deny 

type Deny struct {
	// Multiple conditions can be declared under an `any` or `all` statement. A direct list
	// of conditions (without `any` or `all` statements) is also supported for backwards compatibility
	// See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
	RawAnyAllConditions *AnyAllConditions `json:"conditions,omitempty" yaml:"conditions,omitempty"`
}

Deny specifies a list of conditions used to pass or fail a validation rule.

func (*Deny) DeepCopy 

func (in *Deny) DeepCopy() *Deny

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Deny.

func (*Deny) DeepCopyInto 

func (in *Deny) DeepCopyInto(out *Deny)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ImageVerification 

type ImageVerification struct {
	// ImageReferences is a list of matching image reference patterns. At least one pattern in the
	// list must match the image for the rule to apply. Each image reference consists of a registry
	// address (defaults to docker.io), repository, image, and tag (defaults to latest).
	// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
	// +kubebuilder:validation:Optional
	ImageReferences []string `json:"imageReferences,omitempty" yaml:"imageReferences,omitempty"`

	// Attestors specified the required attestors (i.e. authorities)
	// +kubebuilder:validation:Optional
	Attestors []kyvernov1.AttestorSet `json:"attestors,omitempty" yaml:"attestors,omitempty"`

	// Attestations are optional checks for signed in-toto Statements used to verify the image.
	// See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
	// OCI registry and decodes them into a list of Statement declarations.
	Attestations []kyvernov1.Attestation `json:"attestations,omitempty" yaml:"attestations,omitempty"`

	// Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
	// If specified Repository will override the default OCI image repository configured for the installation.
	// The repository can also be overridden per Attestor or Attestation.
	Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`

	// MutateDigest enables replacement of image tags with digests.
	// Defaults to true.
	// +kubebuilder:default=true
	// +kubebuilder:validation:Optional
	MutateDigest bool `json:"mutateDigest" yaml:"mutateDigest"`

	// VerifyDigest validates that images have a digest.
	// +kubebuilder:default=true
	// +kubebuilder:validation:Optional
	VerifyDigest bool `json:"verifyDigest" yaml:"verifyDigest"`

	// Required validates that images are verified i.e. have matched passed a signature or attestation check.
	// +kubebuilder:default=true
	// +kubebuilder:validation:Optional
	Required bool `json:"required" yaml:"required"`
}

ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration.

func (*ImageVerification) DeepCopy 

func (in *ImageVerification) DeepCopy() *ImageVerification

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageVerification.

func (*ImageVerification) DeepCopyInto 

func (in *ImageVerification) DeepCopyInto(out *ImageVerification)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ImageVerification) Validate 

func (iv *ImageVerification) Validate(path *field.Path) (errs field.ErrorList)

Validate implements programmatic validation

type MatchResources 

type MatchResources struct {
	// Any allows specifying resources which will be ORed
	// +optional
	Any kyvernov1.ResourceFilters `json:"any,omitempty" yaml:"any,omitempty"`

	// All allows specifying resources which will be ANDed
	// +optional
	All kyvernov1.ResourceFilters `json:"all,omitempty" yaml:"all,omitempty"`
}

MatchResources is used to specify resource and admission review request data for which a policy rule is applicable.

func (*MatchResources) DeepCopy 

func (in *MatchResources) DeepCopy() *MatchResources

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResources.

func (*MatchResources) DeepCopyInto 

func (in *MatchResources) DeepCopyInto(out *MatchResources)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*MatchResources) GetKinds 

func (m *MatchResources) GetKinds() []string

GetKinds returns all kinds

func (*MatchResources) Validate 

func (m *MatchResources) Validate(path *field.Path, namespaced bool, clusterResources sets.String) (errs field.ErrorList)

Validate implements programmatic validation

type Policy 

type Policy struct {
	metav1.TypeMeta   `json:",inline,omitempty" yaml:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`

	// Spec defines policy behaviors and contains one or more rules.
	Spec Spec `json:"spec" yaml:"spec"`

	// Status contains policy runtime data.
	// +optional
	Status kyvernov1.PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
}

Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.

func (*Policy) BackgroundProcessingEnabled 

func (p *Policy) BackgroundProcessingEnabled() bool

BackgroundProcessingEnabled checks if background is set to true

func (*Policy) DeepCopy 

func (in *Policy) DeepCopy() *Policy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.

func (*Policy) DeepCopyInto 

func (in *Policy) DeepCopyInto(out *Policy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Policy) DeepCopyObject 

func (in *Policy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*Policy) GetKind 

func (p *Policy) GetKind() string

func (*Policy) GetSpec 

func (p *Policy) GetSpec() *Spec

GetSpec returns the policy spec

func (*Policy) HasAutoGenAnnotation 

func (p *Policy) HasAutoGenAnnotation() bool

HasAutoGenAnnotation checks if a policy has auto-gen annotation

func (*Policy) HasGenerate 

func (p *Policy) HasGenerate() bool

HasGenerate checks for generate rule types

func (*Policy) HasMutate 

func (p *Policy) HasMutate() bool

HasMutate checks for mutate rule types

func (*Policy) HasMutateOrValidateOrGenerate 

func (p *Policy) HasMutateOrValidateOrGenerate() bool

HasMutateOrValidateOrGenerate checks for rule types

func (*Policy) HasValidate 

func (p *Policy) HasValidate() bool

HasValidate checks for validate rule types

func (*Policy) HasVerifyImages 

func (p *Policy) HasVerifyImages() bool

HasVerifyImages checks for image verification rule types

func (*Policy) IsNamespaced 

func (p *Policy) IsNamespaced() bool

IsNamespaced indicates if the policy is namespace scoped

func (*Policy) IsReady 

func (p *Policy) IsReady() bool

IsReady indicates if the policy is ready to serve the admission request

func (*Policy) Validate 

func (p *Policy) Validate(clusterResources sets.String) (errs field.ErrorList)

Validate implements programmatic validation. namespaced means that the policy is bound to a namespace and therefore should not filter/generate cluster wide resources.

type PolicyList 

type PolicyList struct {
	metav1.TypeMeta `json:",inline" yaml:",inline"`
	metav1.ListMeta `json:"metadata" yaml:"metadata"`
	Items           []Policy `json:"items" yaml:"items"`
}

PolicyList is a list of Policy instances.

func (*PolicyList) DeepCopy 

func (in *PolicyList) DeepCopy() *PolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyList.

func (*PolicyList) DeepCopyInto 

func (in *PolicyList) DeepCopyInto(out *PolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyList) DeepCopyObject 

func (in *PolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ResourceDescription 

type ResourceDescription struct {
	// Kinds is a list of resource kinds.
	// +optional
	Kinds []string `json:"kinds,omitempty" yaml:"kinds,omitempty"`

	// Names are the names of the resources. Each name supports wildcard characters
	// "*" (matches zero or many characters) and "?" (at least one character).
	// +optional
	Names []string `json:"names,omitempty" yaml:"names,omitempty"`

	// Namespaces is a list of namespaces names. Each name supports wildcard characters
	// "*" (matches zero or many characters) and "?" (at least one character).
	// +optional
	Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"`

	// Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
	// and values support the wildcard characters "*" (matches zero or many characters) and
	// "?" (matches at least one character).
	// +optional
	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`

	// Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
	// characters `*` (matches zero or many characters) and `?` (matches one character).
	// Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
	// using ["*" : "*"] matches any key and value but does not match an empty label set.
	// +optional
	Selector *metav1.LabelSelector `json:"selector,omitempty" yaml:"selector,omitempty"`

	// NamespaceSelector is a label selector for the resource namespace. Label keys and values
	// in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
	// and `?` (matches one character).Wildcards allows writing label selectors like
	// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
	// does not match an empty label set.
	// +optional
	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" yaml:"namespaceSelector,omitempty"`
}

ResourceDescription contains criteria used to match resources.

func (*ResourceDescription) DeepCopy 

func (in *ResourceDescription) DeepCopy() *ResourceDescription

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceDescription.

func (*ResourceDescription) DeepCopyInto 

func (in *ResourceDescription) DeepCopyInto(out *ResourceDescription)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ResourceDescription) Validate 

func (r *ResourceDescription) Validate(path *field.Path, namespaced bool, clusterResources sets.String) (errs field.ErrorList)

Validate implements programmatic validation

type ResourceFilter 

type ResourceFilter struct {
	// UserInfo contains information about the user performing the operation.
	// +optional
	kyvernov1.UserInfo `json:",omitempty" yaml:",omitempty"`

	// ResourceDescription contains information about the resource being created or modified.
	ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"`
}

ResourceFilter allow users to "AND" or "OR" between resources

func (*ResourceFilter) DeepCopy 

func (in *ResourceFilter) DeepCopy() *ResourceFilter

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceFilter.

func (*ResourceFilter) DeepCopyInto 

func (in *ResourceFilter) DeepCopyInto(out *ResourceFilter)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ResourceFilters 

type ResourceFilters []ResourceFilter

ResourceFilters is a slice of ResourceFilter

func (ResourceFilters) DeepCopy 

func (in ResourceFilters) DeepCopy() ResourceFilters

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceFilters.

func (ResourceFilters) DeepCopyInto 

func (in ResourceFilters) DeepCopyInto(out *ResourceFilters)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Rule 

type Rule struct {
	// Name is a label to identify the rule, It must be unique within the policy.
	// +kubebuilder:validation:MaxLength=63
	Name string `json:"name,omitempty" yaml:"name,omitempty"`

	// Context defines variables and data sources that can be used during rule execution.
	// +optional
	Context []kyvernov1.ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`

	// MatchResources defines when this policy rule should be applied. The match
	// criteria can include resource information (e.g. kind, name, namespace, labels)
	// and admission review request information like the user name or role.
	// At least one kind is required.
	MatchResources MatchResources `json:"match,omitempty" yaml:"match,omitempty"`

	// ExcludeResources defines when this policy rule should not be applied. The exclude
	// criteria can include resource information (e.g. kind, name, namespace, labels)
	// and admission review request information like the name or role.
	// +optional
	ExcludeResources MatchResources `json:"exclude,omitempty" yaml:"exclude,omitempty"`

	// ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
	// This config is only valid for verifyImages rules.
	// +optional
	ImageExtractors kyvernov1.ImageExtractorConfigs `json:"imageExtractors,omitempty" yaml:"imageExtractors,omitempty"`

	// Preconditions are used to determine if a policy rule should be applied by evaluating a
	// set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
	// of conditions (without `any` or `all` statements is supported for backwards compatibility but
	// See: https://kyverno.io/docs/writing-policies/preconditions/
	// +optional
	RawAnyAllConditions *AnyAllConditions `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`

	// Mutation is used to modify matching resources.
	// +optional
	Mutation kyvernov1.Mutation `json:"mutate,omitempty" yaml:"mutate,omitempty"`

	// Validation is used to validate matching resources.
	// +optional
	Validation Validation `json:"validate,omitempty" yaml:"validate,omitempty"`

	// Generation is used to create new resources.
	// +optional
	Generation kyvernov1.Generation `json:"generate,omitempty" yaml:"generate,omitempty"`

	// VerifyImages is used to verify image signatures and mutate them to add a digest
	// +optional
	VerifyImages []ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
}

Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude.

func (*Rule) DeepCopy 

func (in *Rule) DeepCopy() *Rule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.

func (*Rule) DeepCopyInto 

func (in *Rule) DeepCopyInto(out *Rule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Rule) GetCloneSyncForGenerate 

func (r *Rule) GetCloneSyncForGenerate() (clone bool, sync bool)

IsCloneSyncGenerate checks if the generate rule has the clone block with sync=true

func (*Rule) HasGenerate 

func (r *Rule) HasGenerate() bool

HasGenerate checks for generate rule

func (*Rule) HasImagesValidationChecks 

func (r *Rule) HasImagesValidationChecks() bool

HasImagesValidationChecks checks whether the verifyImages rule has validation checks

func (*Rule) HasMutate 

func (r *Rule) HasMutate() bool

HasMutate checks for mutate rule

func (*Rule) HasValidate 

func (r *Rule) HasValidate() bool

HasValidate checks for validate rule

func (*Rule) HasVerifyImages 

func (r *Rule) HasVerifyImages() bool

HasVerifyImages checks for verifyImages rule

func (Rule) HasYAMLSignatureVerify 

func (r Rule) HasYAMLSignatureVerify() bool

HasYAMLSignatureVerify checks for validate.manifests rule

func (*Rule) IsMutateExisting 

func (r *Rule) IsMutateExisting() bool

IsMutateExisting checks if the mutate rule applies to existing resources

func (*Rule) Validate 

func (r *Rule) Validate(path *field.Path, namespaced bool, clusterResources sets.String) (errs field.ErrorList)

Validate implements programmatic validation

func (*Rule) ValidateMatchExcludeConflict 

func (r *Rule) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorList)

ValidateMatchExcludeConflict checks if the resultant of match and exclude block is not an empty set

func (*Rule) ValidateRuleType 

func (r *Rule) ValidateRuleType(path *field.Path) (errs field.ErrorList)

ValidateRuleType checks only one type of rule is defined per rule

type Spec 

type Spec struct {
	// Rules is a list of Rule instances. A Policy contains multiple rules and
	// each rule can validate, mutate, or generate resources.
	Rules []Rule `json:"rules,omitempty" yaml:"rules,omitempty"`

	// ApplyRules controls how rules in a policy are applied. Rule are processed in
	// the order of declaration. When set to `One` processing stops after a rule has
	// been applied i.e. the rule matches and results in a pass, fail, or error. When
	// set to `All` all rules in the policy are processed. The default is `All`.
	// +optional
	ApplyRules *kyvernov1.ApplyRulesType `json:"applyRules,omitempty" yaml:"applyRules,omitempty"`

	// FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
	// Rules within the same policy share the same failure behavior.
	// Allowed values are Ignore or Fail. Defaults to Fail.
	// +optional
	FailurePolicy *kyvernov1.FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`

	// ValidationFailureAction defines if a validation policy rule violation should block
	// the admission review request (enforce), or allow (audit) the admission review request
	// and report an error in a policy report. Optional.
	// Allowed values are audit or enforce. The default value is "audit".
	// +optional
	// +kubebuilder:validation:Enum=audit;enforce
	// +kubebuilder:default=audit
	ValidationFailureAction kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`

	// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
	// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
	// +optional
	ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`

	// Background controls if rules are applied to existing resources during a background scan.
	// Optional. Default value is "true". The value must be set to "false" if the policy rule
	// uses variables that are only available in the admission review request (e.g. user name).
	// +optional
	// +kubebuilder:default=true
	Background *bool `json:"background,omitempty" yaml:"background,omitempty"`

	// SchemaValidation skips validation checks for policies as well as patched resources.
	// Optional. The default value is set to "true", it must be set to "false" to disable the validation checks.
	// +optional
	SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"`

	// WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
	// After the configured time expires, the admission request may fail, or may simply ignore the policy results,
	// based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
	WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"`

	// MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
	// Default value is "false".
	// +optional
	MutateExistingOnPolicyUpdate bool `json:"mutateExistingOnPolicyUpdate,omitempty" yaml:"mutateExistingOnPolicyUpdate,omitempty"`

	// GenerateExistingOnPolicyUpdate controls whether to trigger generate rule in existing resources
	// If is set to "true" generate rule will be triggered and applied to existing matched resources.
	// Defaults to "false" if not specified.
	// +optional
	GenerateExistingOnPolicyUpdate bool `json:"generateExistingOnPolicyUpdate,omitempty" yaml:"generateExistingOnPolicyUpdate,omitempty"`
}

Spec contains a list of Rule instances and other policy controls.

func (*Spec) BackgroundProcessingEnabled 

func (s *Spec) BackgroundProcessingEnabled() bool

BackgroundProcessingEnabled checks if background is set to true

func (*Spec) DeepCopy 

func (in *Spec) DeepCopy() *Spec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Spec.

func (*Spec) DeepCopyInto 

func (in *Spec) DeepCopyInto(out *Spec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Spec) GetApplyRules 

func (s *Spec) GetApplyRules() kyvernov1.ApplyRulesType

GetFailurePolicy returns the failure policy to be applied

func (*Spec) GetFailurePolicy 

func (s *Spec) GetFailurePolicy() kyvernov1.FailurePolicyType

GetFailurePolicy returns the failure policy to be applied

func (*Spec) GetMutateExistingOnPolicyUpdate 

func (s *Spec) GetMutateExistingOnPolicyUpdate() bool

GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value

func (*Spec) GetValidationFailureAction 

func (s *Spec) GetValidationFailureAction() kyvernov1.ValidationFailureAction

GetValidationFailureAction returns the validation failure action to be applied

func (*Spec) HasGenerate 

func (s *Spec) HasGenerate() bool

HasGenerate checks for generate rule types

func (*Spec) HasImagesValidationChecks 

func (s *Spec) HasImagesValidationChecks() bool

HasImagesValidationChecks checks for image verification rules invoked during resource validation

func (*Spec) HasMutate 

func (s *Spec) HasMutate() bool

HasMutate checks for mutate rule types

func (*Spec) HasMutateOrValidateOrGenerate 

func (s *Spec) HasMutateOrValidateOrGenerate() bool

HasMutateOrValidateOrGenerate checks for rule types

func (*Spec) HasValidate 

func (s *Spec) HasValidate() bool

HasValidate checks for validate rule types

func (*Spec) HasVerifyImages 

func (s *Spec) HasVerifyImages() bool

HasVerifyImages checks for image verification rules invoked during resource mutation

func (*Spec) HasYAMLSignatureVerify 

func (s *Spec) HasYAMLSignatureVerify() bool

HasYAMLSignatureVerify checks for image verification rules invoked during resource mutation

func (*Spec) IsGenerateExistingOnPolicyUpdate 

func (s *Spec) IsGenerateExistingOnPolicyUpdate() bool

IsGenerateExistingOnPolicyUpdate return GenerateExistingOnPolicyUpdate set value

func (*Spec) IsMutateExisting 

func (s *Spec) IsMutateExisting() bool

IsMutateExisting checks if the mutate policy applies to existing resources

func (*Spec) SetRules 

func (s *Spec) SetRules(rules []Rule)

func (*Spec) Validate 

func (s *Spec) Validate(path *field.Path, namespaced bool, clusterResources sets.String) (errs field.ErrorList)

Validate implements programmatic validation

func (*Spec) ValidateRuleNames 

func (s *Spec) ValidateRuleNames(path *field.Path) (errs field.ErrorList)

ValidateRuleNames checks if the rule names are unique across a policy

func (*Spec) ValidateRules 

func (s *Spec) ValidateRules(path *field.Path, namespaced bool, clusterResources sets.String) (errs field.ErrorList)

ValidateRules implements programmatic validation of Rules

type Validation 

type Validation struct {
	// Message specifies a custom message to be displayed on failure.
	// +optional
	Message string `json:"message,omitempty" yaml:"message,omitempty"`

	// Manifest specifies conditions for manifest verification
	// +optional
	Manifests *kyvernov1.Manifests `json:"manifests,omitempty" yaml:"manifests,omitempty"`

	// ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.
	// +optional
	ForEachValidation []kyvernov1.ForEachValidation `json:"foreach,omitempty" yaml:"foreach,omitempty"`

	// Pattern specifies an overlay-style pattern used to check resources.
	// +optional
	RawPattern *apiextv1.JSON `json:"pattern,omitempty" yaml:"pattern,omitempty"`

	// AnyPattern specifies list of validation patterns. At least one of the patterns
	// must be satisfied for the validation rule to succeed.
	// +optional
	RawAnyPattern *apiextv1.JSON `json:"anyPattern,omitempty" yaml:"anyPattern,omitempty"`

	// Deny defines conditions used to pass or fail a validation rule.
	// +optional
	Deny *Deny `json:"deny,omitempty" yaml:"deny,omitempty"`

	// PodSecurity applies exemptions for Kubernetes Pod Security admission
	// by specifying exclusions for Pod Security Standards controls.
	// +optional
	PodSecurity *kyvernov1.PodSecurity `json:"podSecurity,omitempty" yaml:"podSecurity,omitempty"`
}

Validation defines checks to be performed on matching resources.

func (*Validation) DeepCopy 

func (in *Validation) DeepCopy() *Validation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Validation.

func (*Validation) DeepCopyInto 

func (in *Validation) DeepCopyInto(out *Validation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.